Cisco issued 18 fixes for vulnerabilities spanning its product line including a critical flaw which could be triggered by a malicious email and another flaw which could enable a permanent DoS condition forcing the affected device to stop scanning and forwarding messages.
The critical flaw is the result of a memory corruption denial of service vulnerability glitch in Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) and was caused by the improper input validation of S/MIME-signed emails, according to a 9 January Security Advisory.
This vulnerability could be exploited by sending a malicious email S/MIME-signed email through a targeted device and may require manual intervention to recover the ESA.
Cisco also patched a high-rated email security appliance URL Filtering Denial of Service vulnerability in its Cisco AsyncOS Software which could allow an unauthenticated, remote attacker to cause the CPU utilisation to increase to 100 percent causing a denial of service (DoS) condition on an affected device.
This vulnerability was caused by improper filtering of email messages that contain references to whitelisted URLs. Other vulnerabilities included a Webex Business Suite Cross-Site Scripting Vulnerability, a TelePresence Management Suite Cross-Site Scripting Vulnerability, and a Jabber Client Framework Insecure Directory Permissions Vulnerability.
This article was originally published on SC Media US.