Cisco Patches Critical Vulnerability in Facility Events Response System

Cisco warns of 16 flaws in its latest security bulletin, mostly impacting its Cisco AsyncOS software used in its Email Security Appliances.

Cisco Systems issued a security bulletin Wednesday for a critical vulnerability found in its IP Interoperability and Collaboration System (IPICS). The feature is a key part of a mechanism used by Cisco to facilitate emergency responses for “facility events.”

The vulnerability (CVE-2016-6397), according to Cisco, could allow an attacker to access the IPICS communications interface and cause the system to become unavailable. A software fix has been released to address the flaw and no workaround is available, according to Cisco.

Cisco also warned of three flaws found in its Cisco AsyncOS software used in its email security appliances, each rated high. Cisco has issued software patches for each of the bugs, however no workaround are available.

One of those flaws (CVE-2016-1481) was found in the filtering feature of the Cisco AysncOS software and could allow an adversary to send a crafted email message with a compressed attachment that could result in a denial of service condition, Cisco said.

Another DoS-related vulnerability (CVE-2016-1486) rated high, also impacting AsyncOS software, is tied to the Cisco Email Security Appliance’s ability to scan attachments for malware. According to Cisco, the flaw could allow an “unauthenticated, remote attacker to cause an affected device to stop scanning and forwarding email messages due to a denial of serviceĀ (DoS) condition,” Cisco said.

The third vulnerability rated high (CVE-2016-6356), is due to improper input validation of email attachments that have corrupted fields, according to Cisco. As with the previous flaw, the vulnerability could allow a remote attacker to cause an affected device to stop scanning and forwarding email messages due to a denial of serviceĀ (DoS) condition.

In total, Cisco’s security bulletin included 16 vulnerabilities. Additional flaws were rated medium and ranged from a cross-site scripting flaw (CVE-2016-6451) found in Cisco’s Prime Collaboration Provisioning software and a vulnerability (CVE-2016-6430) in the command-line interface of the Cisco IP Interoperability and Collaboration System (IPICS) that “could allow an authenticated, local attacker to elevate the privilege level associated with their session,” according to Cisco.

Suggested articles