Alert overload

Cisco has released patches for three vulnerabilities that have been plaguing its products—one vulnerability rated high severity in its Email Security Appliance (ESA). The ESA vulnerability can lead to a denial-of-service (DoS) condition on a compromised device.

The vulnerability, labelled CVE-2022-20653 (CVSS score: 7.5), originates from an incomplete error handling in DNS name resolution. The error can be exploited by an unauthorized, remote attacker to send a specially designed email and cause a DoS.

“A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS condition,” the company said in an advisory. “Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition.”

Also read,

The flaw affects Cisco ESA devices operating on Cisco AsyncOS Software versions 14.0, 13.5, 13.0, 12.5 and earlier. These devices have the “DANE feature enabled and with the downstream mail servers configured to send bounce messages.” DANE is short for DNS-based Authentication of Named Entities, which uses outbound mail validation.

Cisco hailed Rijksoverheid Dienst ICT Uitvoering’s (DICTU) researchers for identifying the vulnerability; the researchers also stated that they didn’t find any proof of malicious exploitation. 

Separately, the networking equipment maker also addressed two other flaws in its Prime Infrastructure and Evolved Programmable Network Manager and Redundancy Configuration Manager that could enable an adversary to execute arbitrary code and cause a DoS condition –

  • CVE-2022-20659 (CVSS score: 6.1) – Cisco Prime Infrastructure and Evolved Programmable Network Manager cross-site scripting (XSS) vulnerability
  • CVE-2022-20750 (CVSS score: 5.3) – Cisco Redundancy Configuration Manager for Cisco StarOS Software TCP denial-of-service (DoS) vulnerability

These fixes followed another set of patches released by Cisco for various critical security vulnerabilities affecting its RV Series routers. Some of the vulnerabilities had a maximum possible CVSS severity score of 10. The vulnerabilities could be used to carry out arbitrary code on compromised systems.