We're two weeks into 2019, and an email can potentially knacker your Cisco message box – plus other bugs to fix

Process data, crash, restart, process data, crash, restart...

Cisco's security team's holiday season has ended with a bang: 18 patches, but thankfully only one of them rated “critical”.

Switchzilla's E-mail Security Appliance's AsyncOS operating system has the honour of 2019's first-and-worst in CVE-2018-15453.

The bug affects how the appliance handles S/MIME-signed e-mails. If the attacker sends a malicious message to the targeted device, and the user has configured the “Decryption and Verification” or “Public Key Harvesting” options, memory corruption will crash the system.

The process restarts itself, but as Cisco's advisory explained, that doesn't really help, because it will try to process the malicious message again – and things go downhill from there. “A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA.”

AsyncOS suffers from a second bug - rated “High” - in its URL filtering, in CVE-2018-15460. An attacker can force the CPU up to maximum usage and then crash the appliance by sending an email containing a “large number of whitelisted URLs” through the system. A fix is available, and for those who can't upgrade immediately, Cisco provided configuration instructions for a workaround.

letters stuffed in a mailbox. Photo by SHutterstock

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)


You'll be pleased to know that the other 16 of today's vulnerability list only rate “medium” severity.

The company's 8800 Series IP phones are vulnerable to a script injection attack (CVE-2018-0461), but the attacker only gets to execute scripts in the context of the device's UI.

There are seven cross-site scripting bugs, in Webex Business Suite (CVE-2018-15461), the TelePresence Management Suite (CVE-2018-15467), the Prime Network Control System (CVE-2018-0482), the Jabber client framework (CVE-2018-0483), the Identity Services Engine (two CVEs: CVE-2018-15440 and CVE-2018-15463), and the Content Security Management appliance (CVE-2018-15393).

Under the heading information disclosure, the Identity Services Engine has a password recovery vulnerability (CVE-2018-15456), and Unified Communications Manager can also leak credentials (CVE-2018-0474). ®

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022