Cisco warns: Patch now or risk your security appliance choking on single rogue email

One bad email could crash your Cisco email security appliance and keep it down as it tries to process the same email over and again.
Written by Liam Tung, Contributing Writer

Your email security appliance running Cisco AsyncOS could enter an endless loop of crashing and restarting if it attempts to process a specially crafted encrypted email.

Cisco has disclosed fixes for a terrible bug affecting AsyncOS for Cisco email security appliances, which are prone to a "permanent" denial of service (DoS) because the software doesn't properly validate S/MIME-signed emails. 

S/MIME or Secure/Multipurpose Internet Mail Extensions is a protocol that allows users to digitally sign and encrypt email messages from an email client. An attacker could trigger the permanent DoS on a Cisco email security appliance by sending a malicious S/MIME-signed email through a target device. 

The message could cause a device's message filtering process to crash and restart if it has been configured for decryption and verification or public-key harvesting. 

"The software could then resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again. A successful exploit could allow the attacker to cause a permanent DoS condition," Cisco explains. 

The device will likely be caught in this cycle until an admin notices and manually intervenes to recover the security appliance.  

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The bug, tracked as CVE-2018-15453, has a critical rating and there are no workarounds, so the best option to prevent attacks is to install Cisco's patches. Fortunately, it's not known to be exploited in the wild, and was reported to Cisco privately by a customer. 

Cisco disclosed fixes for another 17 bugs on Wednesday, though all had lower severity ratings. 

The worst of them also affects AsyncOS and could allow a remote, unauthenticated attacker to completely consume a device's CPU, again causing a DoS. 

The high-severity bug, CVE-2018-15640, is caused by improper filtering of email messages that contain references to whitelisted URLs. 

If the device processes an email with loads of whitelisted URLs, it could experience a DoS that stops it scanning and forwarding email. Cisco has fixed the bug in multiple releases of AsyncOS.

Previous and related coverage

Cisco updates SD-WAN portfolio with new security features

Among the key updates, Cisco said it's integrating application-aware enterprise firewall, intrusion prevention, and URL filtering into Cisco SD-WAN devices.

New Windows 10 1809 block: This time it's Cisco's next-gen AMP malware shield

Really want to update to Windows 10 1809? Then uninstall Cisco Advanced Malware Protection for Endpoints.

Cisco: Linux kernel FragmentSmack bug now affects 88 of our products

Cisco's list of products with a Linux kernel denial-of-service flaw is growing.

Cisco: We've killed another critical hard-coded root password bug, patch urgently

This time a 9.8/10-severity hardcoded password has been found in Cisco's video surveillance software.

Cisco critical flaw warning: These 10/10 severity bugs need patching now

Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.

Cisco patches critical Nexus flaws: Are your switches vulnerable?

You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.

Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw

Cisco patches two serious authentication bugs and a Java deserialization flaw.

Cisco warns customers of critical security flaws, advisory includes Apache Struts

The massive security update includes a patch for the recently-disclosed Apache bug -- but not all products will be fixed yet.

Cisco updates ASR 9000 edge routing platform to carry users to 5G, multicloud world TechRepublic

New automation software, a new networking processor, and a new operating system will help Cisco customers make the transition to next-generation networking.

Apple and Cisco pool their might to shield companies from cyber risks CNET

Apple and Cisco join forces to protect businesses from risk of cyber threats.

Editorial standards