IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cisco patches bug that could break its email security service with a single message

A carefully crafted email could freeze Cisco's Email Security Appliance interface and stop it processing messages

A Cisco sign on a street corner next to a red traffic light

Cisco has fixed a bug that could allow attackers to lock up its email security appliance with a single malicious email.

The bug, which has the ID CVE-2022-20653, affects Cisco's Email Security Appliance (ESA), an email security gateway product that detects and blocks email-borne malware, spam, and phishing attempts.

The problem lies in the ASyncOS operating system that the ESA uses, according to an advisory issued by the company this week.

The problem lies in the appliance's use of DNS-based Authentication of Named Entities (DANE) for security. DANE uses the more secure DNSSEC protocol to provide extra verification that a DNS record is legitimate. This makes it harder for malicious actors to spoof digital certificates or use man-in-the-middle attacks to misdirect DNS requests.

However, Cisco found that ASyncOS was unable to properly handle DNS name resolution, opening it up to exploit through malicious inputs.

In this case, the malicious input would be an email and, if crafted correctly, could freeze the appliance's management interface and stop it processing further emails until it had recovered.

Cisco has classified the vulnerability, which has a CVSS score of 7.5, as a denial of service (DoS) bug.

"Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition," Cisco warned.

Related Resource

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Man at his computer next to title card - whitepaper from ServiceNowFree download

The DANE feature is not enabled by default, meaning that only those who have activated it will be affected. Those customers can install Cisco's software updates to fix the problem.

In the meantime, customers can also configure bounce messages from the ESA instead of from downstream dependent email servers to stop attackers exploiting the bug, the company said.

The ASyncOS software saw two other reported vulnerabilities last year. CVE-2021-1566 was a bug in its Cisco Advanced Malware protection for Endpoints integration, allowing the interception of remote traffic. The other, CVE-2021-1359, allowed attackers to gain root privileges.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Cisco to exit Russia, Belarus in business wind-down
Business operations

Cisco to exit Russia, Belarus in business wind-down

24 Jun 2022
WAN Insights is Cisco’s first foray into predictive network intelligence
Network & Internet

WAN Insights is Cisco’s first foray into predictive network intelligence

16 Jun 2022
Cisco unveils new ‘intelligent’ approach to networking with brace of product launches
Network & Internet

Cisco unveils new ‘intelligent’ approach to networking with brace of product launches

16 Jun 2022
Deepfake attacks expected to be next major threat to businesses
phishing

Deepfake attacks expected to be next major threat to businesses

16 Jun 2022

Most Popular

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Internet providers look to ease cost of living crisis with cheaper broadband
broadband

Internet providers look to ease cost of living crisis with cheaper broadband

29 Jun 2022