Cisco issued 18 fixes for vulnerabilities spanning its product line including a critical flaw which could be triggered by a malicious email and another flaw which could enable a permanent Denial of Service condition forcing the affected device to stop scanning and forwarding messages.
The critical flaw is the result of a memory corruption denial of service vulnerability glitch in Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) and was caused by the improper input validation of S/MIME-signed emails, according to a Jan. 9 Security Advisory.
This vulnerability could be exploited by sending a malicious email S/MIME-signed email through a targeted device and may require manual intervention to recover the ESA.
Cisco also patched a high-rated email security appliance URL Filtering Denial of Service vulnerability in its Cisco AsyncOS Software which could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent causing a denial of service (DoS) condition on an affected device.
This vulnerability was caused by improper filtering of email messages that contain references to whitelisted URLs. Other vulnerabilities included a Webex Business Suite Cross-Site Scripting Vulnerability, a TelePresence Management Suite Cross-Site Scripting Vulnerability, and a Jabber Client Framework Insecure Directory Permissions Vulnerability.
Cisco Security Advisories
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street