CISCO addresses DoS bugs in CISCO ESA products

Cisco addressed two DoS vulnerabilities in CISCO ESA products that can be exploited by remote unauthenticated attacker.

Cisco fixed two denial-of-service (DoS) flaws in Email Security Appliance (ESA) products that can be exploited by a remote unauthenticated attacker.

The first flaw tracked as CVE-2018-15453  has been rated as “critical,” it is a memory corruption bug caused by improper input validation in emails signed with Secure/Multipurpose Internet Mail Extensions (S/MIME). The attacker could send a specially crafted S/MIME email to vulnerable ESA products and can cause appliances to reload and enter a DoS condition.

“A vulnerability in the Secure/Multipurpose Internet Mail Extensions (S/MIME) Decryption and Verification or S/MIME Public Key Harvesting features of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an affected device to corrupt system memory.” reads the security advisory published by Cisco.

“A successful exploit could cause the filtering process to unexpectedly reload, resulting in a denial of service (DoS) condition on the device. “

Experts pointed out that the DoS condition is permanent because even after the software restart, it will process the same malicious email.

To restore the Cisco ESA product it is necessary to manually fix it.

“A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA. ” continues the advisory.

“This vulnerability affects all software versions prior to the first fixed release of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), both virtual and hardware appliances, if the software is configured for S/MIME Decryption and Verification or S/MIME Public Key Harvesting.”

The second DoS flaw in Cisco ESA, tracked as CVE-2018-15460 and rated “high severity,” affects the message filtering feature of AsyncOS software.

The flaw could be exploited by an attacker to cause a DoS condition by getting CPU usage to increase to 100%. The attacker could trigger the issue by sending an email containing a large number of whitelisted URLs.

“A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service (DoS) condition on an affected device.” reads the security advisory.

“The vulnerability is due to improper filtering of email messages that contain references to whitelisted URLs. An attacker could exploit this vulnerability by sending a malicious email message that contains a large number of whitelisted URLs.”

Also in this case, the successful exploitation of the bug could allow the attacker to cause a sustained DoS condition. The vulnerable device will stop scanning and forwarding email messages.

Both vulnerabilities in Cisco ESA were discovered by Cisco, the good news is that there is no evidence of malicious exploitation.

“This vulnerability affects all software versions prior to the first fixed release of Cisco AsyncOS Software for Cisco ESAs, both virtual and hardware, if the URL Filtering as Global Setting feature is enabled and a URL whitelist is in use. By default, the URL Filtering as Global Setting feature is disabled. ” states the advisory.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DoS, CISCO ESA)

[adrotate banner=”5″] [adrotate banner=”13″]