[German]Cisco has released security updates this week to close a highly classified vulnerability (CVE-2022-20653) in its email security appliances. Attackers were able to crash the e-mail security appliances via prepared e-mails and thus virtually launch a DoS attack. Affects Cisco AsyncOS software versions 14.0, 13.5, 13.0, 12.5 and older on Cisco ESA devices when DANE is enabled.
Advertising
I became aware of Cisco's security advisory this week with the issue via various reports, including the following tweet.
A vulnerability exists in the DNS-based named entity authentication (DANE) component for email verification in Cisco AsyncOS software for Cisco Email Security Appliance (ESA). This vulnerability (CVE-2022-20653) is due to insufficient DNS name resolution error handling by the affected software. The vulnerability could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) condition on an affected device.
An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device. A successful attack could allow the attacker to render the device unreachable from the management interfaces or prevent further email messages from being processed for a period of time, resulting in a DoS condition. Continued attacks can cause the device to become completely unreachable, resulting in a persistent DoS condition.
Cisco has released software updates that address this vulnerability, and there are workarounds for this vulnerability that Cisco addresses in the security advisory.
Advertising
