We're two weeks into 2019, and an email can potentially knacker your Cisco message box – plus other bugs to fix
Process data, crash, restart, process data, crash, restart...
Cisco's security team's holiday season has ended with a bang: 18 patches, but thankfully only one of them rated “critical”.
Switchzilla's E-mail Security Appliance's AsyncOS operating system has the honour of 2019's first-and-worst in CVE-2018-15453.
The bug affects how the appliance handles S/MIME-signed e-mails. If the attacker sends a malicious message to the targeted device, and the user has configured the “Decryption and Verification” or “Public Key Harvesting” options, memory corruption will crash the system.
The process restarts itself, but as Cisco's advisory explained, that doesn't really help, because it will try to process the malicious message again – and things go downhill from there. “A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA.”
AsyncOS suffers from a second bug - rated “High” - in its URL filtering, in CVE-2018-15460. An attacker can force the CPU up to maximum usage and then crash the appliance by sending an email containing a “large number of whitelisted URLs” through the system. A fix is available, and for those who can't upgrade immediately, Cisco provided configuration instructions for a workaround.
Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)READ MORE
You'll be pleased to know that the other 16 of today's vulnerability list only rate “medium” severity.
The company's 8800 Series IP phones are vulnerable to a script injection attack (CVE-2018-0461), but the attacker only gets to execute scripts in the context of the device's UI.
There are seven cross-site scripting bugs, in Webex Business Suite (CVE-2018-15461), the TelePresence Management Suite (CVE-2018-15467), the Prime Network Control System (CVE-2018-0482), the Jabber client framework (CVE-2018-0483), the Identity Services Engine (two CVEs: CVE-2018-15440 and CVE-2018-15463), and the Content Security Management appliance (CVE-2018-15393).
Under the heading information disclosure, the Identity Services Engine has a password recovery vulnerability (CVE-2018-15456), and Unified Communications Manager can also leak credentials (CVE-2018-0474). ®