Patch/Configuration Management, Vulnerability Management

Cisco patches 18 vulnerabilities including a critical memory corruption DoS bug

Cisco issued 18 fixes for vulnerabilities spanning its product line including a critical flaw which could be triggered by a malicious email and another flaw which could enable a permanent DoS condition forcing the affected device to stop scanning and forwarding messages.

The critical flaw is the result of a memory corruption denial of service vulnerability glitch in Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) and was caused by the improper input validation of  S/MIME-signed emails, according to a Jan. 9 Security Advisory.  

This vulnerability could be exploited by sending a malicious email S/MIME-signed email through a targeted device and may require manual intervention to recover the ESA.

Cisco also patched a high-rated email security appliance URL Filtering Denial of Service vulnerability in its Cisco AsyncOS Software which could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent causing a denial of service (DoS) condition on an affected device.

This vulnerability was caused by improper filtering of email messages that contain references to whitelisted URLs. Other vulnerabilities included a Webex Business Suite Cross-Site Scripting Vulnerability, a TelePresence Management Suite Cross-Site Scripting Vulnerability, and a Jabber Client Framework Insecure Directory Permissions Vulnerability.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.