Cisco Patches Critical Flaw on Email Security Which Enables Permanent DoS

Cisco has recently patched two severe vulnerabilities in its email protection service. The vulnerabilities tagged as critical and high-severity lead to a Denial of Service (DoS).

The company released 16 other fixes for medium-severity bugs for her users all over the world.

The critical flaw known as CVE-2018-15453 and having a Common Vulnerability Scoring System (CVSS) score of 8.6 can lead to permanent Denial of Service (DoS) on affected devices.

This particular flaw exists in the Cisco AsyncOS, which is a software for Cisco Email Security Appliances – a platform that that is secured against email-based threats. The flaw also exists in the Secure/Multipurpose Internet Mail Extensions (S/MIME) which is a method for sending and receiving verified and secure email messages.

Cisco observed that the vulnerability is due to improper input validation of emails in the S/MIME features which usually consists of the decryption and verification-enabling feature and the public-key harvesting feature. When these two features are configured, an attacker could send malicious S/MIME-signed email through a targeted device.

The system could further crash due to memory corruption as soon as the attacker’s input is received and processed. It will then result in a DoS.

While this flaw is critical is because the system will attempt to resume processing of the malicious S/MIME-signed email, causing the system to crash all over again and restart.

However, the high-severity flaw known as CVE-2018-15460 has the same CVSS score of 8.6 and also resides in the AsyncOS.

This particular flaw originates from the email messages filtering feature. Cisco typically has unfiltered email messages that contain references of whitelisted URLs. These URLs are from Cisco’s trusted partners and vendors whose webmail may be damaged due to anti-malware or anti-virus policies.

An attacker could exploit this flaw by sending a malicious email containing a huge number of whitelisted URLs. This causes the CPU utilization to increase to 100% on a target device, triggering a DoS. This could cause the affected device to stop forwarding and scanning emails. 

As at the time of releasing the patches, Cisco confirmed that none of the vulnerabilities were exploited on their systems.