Cisco Patches Critical Email Security Appliance Vulnerability

A critical flaw that could be exploited to gain full control of a Cisco Email Security appliance has been patched. The flaw – CVE-2016-6406 – affects Cisco’s testing and debugging interface on the IronPort AsyncOS operating system. The testing and debugging system is used by Cisco during the manufacturing process and should have been disabled on customer-available software releases.

If an attacker connects to the debugging system, the vulnerability could be exploited, which would provide full control of the affected device with root level privileges. The bug was announced last week, and a workaround was issued to stop affected devices from being accessed remotely. Now a patch has been issued that corrects the flaw.

Due to the seriousness of the flaw, users of Cisco Email Security Appliances – physical and virtual devices – that are running any of the following software versions should update their software as soon as possible to prevent the flaw from being exploited.

  • 1.2-023
  • 1.2-028
  • 1.2-036
  • 7.2-046
  • 7.2-047
  • 7-2-054
  • 0.0-124
  • 0.0-125


Any Cisco ESA user that is unsure of the software version installed on their appliance can check the version of Cisco AsyncOS Software by using the version command on the ESA command-line interface (CLI).

Cisco notes that its Cloud Email Security (CES) service, Content Security Management Appliance, and Web Security Appliance are not affected by this vulnerability.

The vulnerability could only be exploited if certain conditions are met. In order for a device to be vulnerable to attack, in addition to running one of the above software versions, the device must have been rebooted fewer than two times since the above software releases were installed. On the second reboot the testing and debugging system is automatically disabled.  Further, the Enrollment Client component version must be earlier than version 1.0.2-065. All three conditions must be met in order for the vulnerability to be exploitable.

An Enrollment Client update was made available on September 15, 2016 which disables the testing interface. To test whether the Enrollment Client has been updated, users should execute the ecstatus command and check the version number.

Cisco has also issued security updates to correct 12 flaws, 10 of which have been rated high and eight could be exploited to carry out DoS attacks.

The security updates correct the following flaws in Cisco IOS and IOS XE Software: CVE-2016-6385 – A memory leak vulnerability; CVE-2016-6382 – A Multicast Routing DoS vulnerability; CVE-2016-6379 – an IP Detail Record DoS vulnerability; CVE-2016-6381 – An Internet Key Exchange V1. Fragmentation DoS vulnerability; CVE-2016-6384 – A H.323 Message Validation DoS vulnerability; CVE-2016-6386 An IP Fragment Reassembly DoS vulnerability; CVE-2016-6378 – A NAT DoS vulnerability; CVE-2016-6380 a DNS Forwarder DoS vulnerability; CVE-2016-6391 – A Common Industrial Protocol DoS vulnerability; and CVE-2016-6393 – An AAA Login DoS vulnerability.

Two vulnerabilities have been corrected in the Cisco Firepower Management Center: CVE-2016-6419 – A SQL injection vulnerability; and CVE-2016-6420 – a privilege escalation vulnerability.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of