Cisco patches bug that could break its e-mail security service with a single message
Cisco has fixed a bug that could allow attackers to lock up its e-mail security appliance with a single malicious e-mail.
The bug, which has the ID CVE-2022-20653, affects Cisco’s Email Security Appliance (ESA), an e-mail security gateway product that detects and blocks malware, spam, and phishing attempts.
The problem lies in the ASyncOS operating system that the ESA uses, according to an advisory issued by the company this week.
The problem lies in the appliance’s use of DNS-based Authentication of Named Entities (DANE) for security. DANE uses the more secure DNSSEC protocol to provide extra verification that a DNS record is legitimate. This makes it harder for malicious actors to spoof digital certificates or use man-in-the-middle attacks to misdirect DNS requests.
However, Cisco found that ASyncOS was unable to properly handle DNS name resolution, opening it up to exploit through malicious inputs.
In this case, the malicious input would be an e-mail and, if crafted correctly, could freeze the appliance’s management interface and stop it processing further e-mails until it had recovered.
Cisco has classified the vulnerability, which has a CVSS score of 7.5, as a denial of service (DoS) bug.
“Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition,” Cisco warned.
The DANE feature is not enabled by default, meaning that only those who have activated it will be affected. Those customers can install Cisco’s software updates to fix the problem.
In the meantime, customers can also configure bounce messages from the ESA instead of from downstream dependent email servers to stop attackers exploiting the bug, the company said.
The ASyncOS software saw two other reported vulnerabilities last year. CVE-2021-1566 was a bug in its Cisco Advanced Malware protection for Endpoints integration, allowing the interception of remote traffic. The other, CVE-2021-1359, allowed attackers to gain root privileges.
Ⓒ Future Publishing
Subscribers 0
Fans 0
Followers 0
Followers