[BreachExchange] Critical Flaw in Cisco’s Email Security Appliance Enables ‘Permanent DoS’

Fri Jan 11 10:13:25 EST 2019

https://threatpost.com/cisco-critical-vulnerability-patch/140726/

A remote attacker could exploit the vulnerability simply by sending an email.

Cisco has patched two serious vulnerabilities – one critical and one
high-severity – in its email security appliance tool. Both bugs
ultimately lead to a denial of service (DoS) on impacted devices – and
can be exploited by an attacker who simply sends an email.

Overall, the company on Wednesday released 18 fixes for
vulnerabilities spanning its products, including one critical, one
high- and 16 medium-severity bugs. The most severe of these, a
critical vulnerability (CVE-2018-15453), has a CVSS score of 8.6 and
could ultimately lead to “permanent DoS” on impacted devices.

The flaw exists in the Cisco AsyncOS, which is the software for Cisco
Email Security Appliances, Cisco’s security platform for protecting
against email-based threats. Specifically, the vulnerability exists in
the software’s Secure/Multipurpose Internet Mail Extensions (S/MIME),
a standards-based method for sending and receiving secure, verified
email messages.

The vulnerability is due to the improper input validation of
S/MIME-signed emails, existing in two of the software’s S/MIME
features: A decryption and verification-enabling feature and a
public-key harvesting feature.

Improper input validation means that an attacker could craft the input
in a form that is not expected by the rest of the application. In this
case, when those two S/MIME features are configured,  an attacker
could exploit this vulnerability by sending a malicious S/MIME-signed
email through a targeted device.

Once these S/MIME features receive this unintended input, it causes
the system to crash: “If decryption and verification or public-key
harvesting is configured, the filtering process could crash due to
memory corruption and restart, resulting in a DoS condition,” said
Cisco.

Making matters worse, the software would then attempt to resume
processing the same S/MIME-signed email, causing the filtering process
to crash and restart again.

“A successful exploit could allow the attacker to cause a permanent
DoS condition,” said Cisco. This vulnerability may require manual
intervention to recover the email security appliance.

The latest version of Cisco’s AsyncOS Software for its Email Security
Appliance is currently Version 12 – however, this latest version is
not impacted, said Cisco. The company released a graph outlining which
versions of AsyncOS are impacted by the vulnerability (below).

Meanwhile, Cisco also patched a  high severity vulnerability,
(CVE-2018-15460), which also has a CVSS score of 8.6. The
vulnerability also exists in AsyncOS.

Specifically, the glitch stems from the email message-filtering
feature of the software. Essentially, the software has improper
filtering of email messages that contain references to whitelisted
URLs. Whitelisted URLs are trusted websites of partners or vendors
whose webmail might otherwise be blocked due to antivirus,
anti-spyware, or anti-malware policies.

Because of the flaw, an unauthenticated, remote attacker could exploit
this vulnerability simply by sending a malicious email message that
contains a large number of whitelisted URLs. That then causes the CPU
utilization of the victim’s device to increase to 100 percent, causing
a denial of service (DoS) condition on said affected device, said
Cisco.

“A successful exploit could allow the attacker to cause a sustained
DoS condition that could force the affected device to stop scanning
and forwarding email messages,” according to Cisco’s advisory.

The company said it is not aware of any malicious use of either vulnerability.