Your email security appliance running Cisco AsyncOS could enter an endless loop of crashing and restarting if it attempts to process a specially crafted encrypted email.
Cisco has disclosed fixes for a terrible bug affecting AsyncOS for Cisco email security appliances, which are prone to a "permanent" denial of service (DoS) because the software doesn't properly validate S/MIME-signed emails.
S/MIME or Secure/Multipurpose Internet Mail Extensions is a protocol that allows users to digitally sign and encrypt email messages from an email client. An attacker could trigger the permanent DoS on a Cisco email security appliance by sending a malicious S/MIME-signed email through a target device.
The message could cause a device's message filtering process to crash and restart if it has been configured for decryption and verification or public-key harvesting.
"The software could then resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again. A successful exploit could allow the attacker to cause a permanent DoS condition," Cisco explains.
The device will likely be caught in this cycle until an admin notices and manually intervenes to recover the security appliance.
The bug, tracked as CVE-2018-15453, has a critical rating and there are no workarounds, so the best option to prevent attacks is to install Cisco's patches. Fortunately, it's not known to be exploited in the wild, and was reported to Cisco privately by a customer.
Cisco disclosed fixes for another 17 bugs on Wednesday, though all had lower severity ratings.
The worst of them also affects AsyncOS and could allow a remote, unauthenticated attacker to completely consume a device's CPU, again causing a DoS.
The high-severity bug, CVE-2018-15640, is caused by improper filtering of email messages that contain references to whitelisted URLs.
If the device processes an email with loads of whitelisted URLs, it could experience a DoS that stops it scanning and forwarding email. Cisco has fixed the bug in multiple releases of AsyncOS.
Previous and related coverage
Among the key updates, Cisco said it's integrating application-aware enterprise firewall, intrusion prevention, and URL filtering into Cisco SD-WAN devices.
Really want to update to Windows 10 1809? Then uninstall Cisco Advanced Malware Protection for Endpoints.
Cisco's list of products with a Linux kernel denial-of-service flaw is growing.
This time a 9.8/10-severity hardcoded password has been found in Cisco's video surveillance software.
Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.
You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.
Cisco patches two serious authentication bugs and a Java deserialization flaw.
The massive security update includes a patch for the recently-disclosed Apache bug -- but not all products will be fixed yet.
New automation software, a new networking processor, and a new operating system will help Cisco customers make the transition to next-generation networking.
Apple and Cisco join forces to protect businesses from risk of cyber threats.