Cisco Email Security Appliance Flaws Patched

On Wednesday this week, updated software was released to address nine Cisco email security appliance flaws. Cisco has not uncovered any evidence to suggest that any of the recently addressed flaws have actually been exploited in the wild, although users of its email security appliances have been advised to update to the latest version of its software at the earliest opportunity.

The latest update resolves three Denial-of-Service flaws that affect the company’s AsynchOS software. Each of these vulnerabilities could be exploited by sending specially crafted emails and attachments which could cause a Denial-of-Service condition. All three of these Cisco email security appliance flaws has been rated as high severity.

CVE-2016-6356 is a flaw in the email message filtering feature of AsyncOS that affects both hardware and virtual appliances. If the vulnerability is exploited it would result in the device stopping scanning and forwarding email messages.  The fault is due to improper input validation of attachments with corrupted fields. Likewise, CVE-2016-1486 affects both virtual and hardware appliances and could be exploited with a similar effect. This vulnerability relates to the way UU-encoded files that are attached to an email message are handled.  CVE-2016-1481 is a flaw in the way AsynchOS software validates compressed message attachments that contain malformed Design (DGN) files. All three could be exploited to cause a repeated DoS condition.

CVE-2016-1486 affects AsynchOS versions 9.7 and 10.0. CVE-2016-1481 and CVE-2016-6356 affect versions 8.0 and earlier, 9.0, 9.1, 9.5, 9.6, 9.7, and 10.0.

While these three Cisco email security appliance flaws are the most serious, a host of medium severity flaws have also been addressed. These affect either AsynchOS software or Web Security Appliances. Some of these flaws can also result in an attacker triggering a DoS condition or allow certain filters to be bypassed. Users of Cisco Email and Web Security Appliances should visit Cisco Support for further information. Patches should be prioritized to address the most serious flaws first.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news