Cisco has patched two serious vulnerabilities – one critical and one high-severity – in its email security appliance tool. Both bugs ultimately lead to a denial of service (DoS) on impacted devices – and can be exploited by an attacker who simply sends an email.
Overall, the company on Wednesday released 18 fixes for vulnerabilities spanning its products, including one critical, one high- and 16 medium-severity bugs. The most severe of these, a critical vulnerability (CVE-2018-15453), has a CVSS score of 8.6 and could ultimately lead to “permanent DoS” on impacted devices.
The flaw exists in the Cisco AsyncOS, which is the software for Cisco Email Security Appliances, Cisco’s security platform for protecting against email-based threats. Specifically, the vulnerability exists in the software’s Secure/Multipurpose Internet Mail Extensions (S/MIME), a standards-based method for sending and receiving secure, verified email messages.
The vulnerability is due to the improper input validation of S/MIME-signed emails, existing in two of the software’s S/MIME features: A decryption and verification-enabling feature and a public-key harvesting feature.
Improper input validation means that an attacker could craft the input in a form that is not expected by the rest of the application. In this case, when those two S/MIME features are configured, an attacker could exploit this vulnerability by sending a malicious S/MIME-signed email through a targeted device.
Once these S/MIME features receive this unintended input, it causes the system to crash: “If decryption and verification or public-key harvesting is configured, the filtering process could crash due to memory corruption and restart, resulting in a DoS condition,” said Cisco.
Making matters worse, the software would then attempt to resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again.
“A successful exploit could allow the attacker to cause a permanent DoS condition,” said Cisco. This vulnerability may require manual intervention to recover the email security appliance.
The latest version of Cisco’s AsyncOS Software for its Email Security Appliance is currently Version 12 – however, this latest version is not impacted, said Cisco. The company released a graph outlining which versions of AsyncOS are impacted by the vulnerability (below).
Meanwhile, Cisco also patched a high severity vulnerability, (CVE-2018-15460), which also has a CVSS score of 8.6. The vulnerability also exists in AsyncOS.
Specifically, the glitch stems from the email message-filtering feature of the software. Essentially, the software has improper filtering of email messages that contain references to whitelisted URLs. Whitelisted URLs are trusted websites of partners or vendors whose webmail might otherwise be blocked due to antivirus, anti-spyware, or anti-malware policies.
Because of the flaw, an unauthenticated, remote attacker could exploit this vulnerability simply by sending a malicious email message that contains a large number of whitelisted URLs. That then causes the CPU utilization of the victim’s device to increase to 100 percent, causing a denial of service (DoS) condition on said affected device, said Cisco.
“A successful exploit could allow the attacker to cause a sustained DoS condition that could force the affected device to stop scanning and forwarding email messages,” according to Cisco’s advisory.
The company said it is not aware of any malicious use of either vulnerability.