Cisco Warns of Critical Flaw in Email Security Appliances

Cisco released a patch for a critical flaw that allowed a remote attacker to gain control of one of its email security appliances.

Cisco Systems released a critical security bulletin for a vulnerability that allows remote unauthenticated users to gain complete control of its email security appliances. The vulnerability is tied to Cisco’s IronPort AsyncOS operating system.

Cisco first issued a security bulletin last week for the IronPort AsyncOS, but on Wednesday updated that alert with more information including a software update that addresses the security flaw. Cisco also indicated a workaround exists that can halt remote access to affected email appliances.

Cisco says the vulnerability (CVE-2016-6406) is tied to the presence of the company’s own internal testing and debugging interface; accessible on the IronPort AsyncOS operating system. “An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an attacker to obtain complete control of an affected device with root-level privileges,” Cisco explains.

In addition to the critical IronPort AsyncOS vulnerability bulletin, Cisco also issued 10 security bulletins rated high and tied to its IOS and IOS XE software. Eight of the security bugs are vulnerabilities opening the door for remote attackers to carry out denial of service attacks. Cisco released software updates for each DoS vulnerability announced Wednesday.

One of those DoS vulnerabilities (CVE-2016-6382) is tied to Cisco’s IPv4 Multicast Source Discovery Protocol and IPv6 Protocol Independent Multicast. The flaw could allow an unauthenticated, remote attacker to send traffic to the IPv4 device that contained a packet designed to trigger a restart of the device. Cisco has released a software update that addresses this vulnerability.

Other DoS vulnerabilities include one (CVE-2016-6381) related to Cisco’s Internet Key Exchange version 1 fragmentation code in IOS and IOS XE software. Another DoS-related bug impacts H.323 message validation (CVE-2016-6384) and is due to a failure of the system to properly validate certain fields in an H.323 protocol suite message, according to Cisco. A vulnerability (CVE-2016-6391) was identified by Cisco in the Common Industrial Protocol (CIP) feature of its’ IOS software. The vulnerability could allow an unauthenticated, remote attacker to submit a CIP message request designed to cause a targeted Cisco switch to stop processing traffic, requiring a restart to regain functionality, according to Cisco.

Cisco also released software that patches two security bulletins rated medium and tied to its Firepower Management Center. One is a privilege escalation vulnerability (CVE-2016-6420) and the other a SQL injection vulnerability (CVE-2016-6419).

It has been a busy month of patching for Cisco. Last week, the networking giant rolled out nine security updates addressing critical vulnerabilities across its core product lines. Earlier this month, Cisco warned of 12 security vulnerabilities, one critical relating to its WebEx Meeting Server.

Suggested articles