Home > Cyber News > CVE-2018-15453 Vulnerability Affects Cisco AsyncOS
CYBER NEWS

CVE-2018-15453 Vulnerability Affects Cisco AsyncOS

by   |  Last Update:  |  0 Comments  

A serious security vulnerability, identified as CVE-2018-15453, in Cisco AsyncOS. More precisely, the vulnerability is located in the Secure/Multipurpose Internet Mail Extensions (S/MIME) Decryption and Verification or S/MIME Public Key Harvesting features of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), as per the official advisory.




CVE-2018-15453 Technical Overview

The CVE-2018-15453 flaw could allow an unauthenticated, remote attack to cause a vulnerable device to corrupt system memory. Furthermore, a successful exploit could cause the filtering process to reload unexpectedly, which could lead to denial-of-service condition on the target device, Cisco explained.

Fortunately, fixes for the critical vulnerability are already available.

Related: [wplinkpreview url=”https://sensorstechforum.com/cve-2018-0448-cve-2018-15386-cisco-dna-software/”]CVE-2018-0448, CVE-2018-15386 in Cisco’s DNA Network Software, Patch Now

What is S/MIME? It is a protocol that enables users to digitally sign and encrypt email messages from an email client. The issue with the vulnerability is that threat actors could trigger a permanent DoS condition of a Cisco email security appliance by simply sending a malicious S/MIME-signed email using a target device. In other words, CVE-2018-15453 is triggered by improper validation of S/MIME-signed emails.

In addition:

If Decryption and Verification or Public Key Harvesting is configured, the filtering process could crash due to memory corruption and restart, resulting in a DoS condition. The software could then resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again. A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA.

Who is vulnerable? CVE-2018-15453 affects all software versions prior to the first fixed release of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), both virtual and hardware appliances, if the software is configured for S/MIME Decryption and Verification or S/MIME Public Key Harvesting, the advisory says.

Software updates that fix the vulnerability are already available. Keep in mind that there are no workarounds.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. Cisco Bugs CVE-2018-0151, CVE-2018-171, CVE-2018-015. Patch Now! Three critical vulnerabilities have found in Cisco products. More specifically,...
  2. Adobe Patches 112 Vulnerabilities in Latest Patch Package (CVE-2018-5007) Adobe has released the latest patch package that addresses a...
  3. CVE-2018-0296 Severe Flaw in Cisco ASA and Firepower Currently Exploited A new vulnerability, CVE-2018-0296, rated high-severe is affecting Cisco ASA...
  4. CVE-2019-12648: Cisco IOS Vulnerability Has a CVSS Score of 9.9 A number of high-severity vulnerabilities were unearthed in Cisco IOS...
  5. CVE-2018-0369: Yet Another High Severity Cisco Vulnerability Yet another vulnerability, identified as CVE-2018-0369, in Cisco software has...
  6. Cisco Patches ASA Software against CVE-2016-1385, CVE-2016-1379 If you’re a user of Cisco’s Adaptive Security Appliances (ASAs),...
  7. CVE-2018-0112 in Cisco WebEx Could Lead to Remote Attacks Another critical vulnerability identified as CVE-2018-0112 has been fixed Cisco...
  8. CVE-2018-0141 Cisco Vulnerability Could Lead to Full System Control CVE-2018-0141 has been identified as the latest vulnerability in Cisco’s...

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree