Cisco has plugged a heap of security holes in many of its products, including two vulnerabilities (one critical) that open its email security appliances to denial of service attacks.
About the vulnerabilities
Both vulnerabilities affect the Cisco AsyncOS Software for Cisco Email Security Appliances, and can be exploited remotely by unauthenticated attackers.
CVE-2018-15453 can be exploited by sending a malicious S/MIME-signed email through a targeted device.
“If Decryption and Verification or Public Key Harvesting is configured, the filtering process could crash due to memory corruption and restart, resulting in a DoS condition. The software could then resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again,” the company explained.
“A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA.
CVE-2018-15460 can be exploited by sending a malicious email message that contains a large number of whitelisted URLs. A successful exploit can cause a sustained DoS condition that could force the affected device to stop scanning and forwarding email messages.
While there are no workarounds for the first flaw, the possibility of the second one being exploited can be removed by disabling Global URL Filtering. Nevertheless, implementing the software updates provided by Cisco is a better idea.
The rest of the vulnerabilities fixed by Cisco in this batch of security updates are less severe.
SEC Consult released details and PoC code for several ones affecting Cisco VoIP phones.