Cisco's Email Security Appliances at Risk of DoS AttacksFirm Releases Fixes, CISA Recommends Software Updates
Cisco's Email Security Appliance is affected by a high-rated vulnerability that can allow an unauthenticated remote attacker to launch a denial-of-service attack, the company says.
Cisco's product security incident response team has not observed any active exploitation of this vulnerability, but the company and the U.S. Cybersecurity and Information Security Agency advise that the released patches be applied as soon as possible.
The vulnerability, tracked as CVE-2022-20653, occurs in the DNS-based Authentication of Named Entities, or DANE, email verification component of Cisco's AsyncOS software used in Cisco ESA, according to the company's advisory.
DANE is an internet security protocol to allow X.509 digital certificates to be bound to domain names using DNSSEC. It has been proposed in RFC 6698 as a way to authenticate TLS client and server entities without a certificate authority, and it is commonly used for Transport Layer Security.
Cisco says that the "vulnerability is due to [an] insufficient error handling in DNS name resolution by the affected software." To exploit the vulnerability, the attacker just needs to send a specially crafted email message to be processed by an affected device, the company says.
Post-exploitation, the attacker can make the device unreachable from management interfaces and not allow processing of additional email messages until the device recovers, resulting in a DoS condition, Cisco says. It adds: "Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition."
CVE-2022-20653 affects all Cisco ESA devices running a vulnerable version of Cisco AsyncOS software that have the DANE feature enabled and the downstream mail servers configured to send bounce messages, Cisco's advisory says.
Cisco says that the DANE feature is not enabled by default. Users can go to the web UI page, select "mail policies," followed by "destination controls," and "add destination" to verify whether the DANE Support option is enabled on their device or not.
Cisco devices that do not support DANE or have their DANE feature disabled are unaffected.
Cisco Cloud Email Security solutions also include Cisco Secure Email and Web Manager - formerly known as Cisco Security Management Appliance - along with Cisco ESA. But Cisco's Secure Email and Web Manager, and Web Security Appliance, are unaffected by this vulnerability, according to the advisory.
Updates and Workaround
Cisco has provided a fix for various release versions of the AsyncOS software.
Of these, the Cisco AsyncOS Software release 18.104.22.168 is a hot patch release that requires software provisioning from the Cisco TAC, the company says.
As a workaround, Cisco suggests configuring bounce messages from Cisco ESA instead of from downstream-dependent mail servers.
Cisco says the workaround was deployed in a test environment, so customers must evaluate its applicability and effect on their environment before deploying it.
Cisco has attributed the findings of this vulnerability to professionals associated with the ICT service providers in the Dutch government.
The company this week also released other advisories on two medium- and one high-severity vulnerability.
Cisco RCM for Cisco StarOS Software
CVE-2022-20750 is a medium-severity vulnerability in the checkpoint manager implementation of Cisco Redundancy Configuration Manager for Cisco StarOS Software. The vulnerability appears due to improper input validation of an ingress TCP packet. If exploited, this flaw allows an unauthenticated, remote attacker to cause a DoS condition because the checkpoint manager process will restart upon receiving specially crafted TCP data.
Cisco Prime Infrastructure and Evolved Programmable Network Manager
CVE-2022-20659 is a medium-severity vulnerability in the web-based management interface of Cisco PI and Cisco EPN Manager. This vulnerability exists because of improper validation of user-supplied input in the web-based management interface. If exploited, it allows an unauthenticated remote attacker to conduct a cross-site scripting attack against the interface of an affected device.
Cisco IOS XE SD-WAN Software
CVE-2021-1529 is a high-severity vulnerability in the CLI of Cisco IOS XE SD-WAN software. This vulnerability exists because of improper validation of user-supplied input in the web-based management interface. If exploited, it allows a local attacker to execute arbitrary commands with root privileges.
Importance of Patch Management
The International Committee of the Red Cross incident, in which the organization fell victim to a cyberattack due to an unpatched critical Zoho vulnerability, is a prime example of the effects that unpatched software and systems can have. The ICRC said that it had not patched in a timely manner, as there were "tens of thousands of patches" that needed to be implemented.
With the complexity of modern software, and the significant amount of code involved, there will inevitably be vulnerabilities found, and some of them will be critical and dangerous, according to Erich Kron, security awareness advocate at cybersecurity firm KnowBe4.
Since patching and making changes to configurations to deal with serious vulnerabilities can potentially cause outages, he says, a company must have a clear change management process and be able to quickly test patches.
Kron also says the ability to roll back or recover from the application of fixes is a critical part of an organization's risk mitigation and operational strategies.