Home > Cyber News > CVE-2018-15453 Vulnerability Affects Cisco AsyncOS

CVE-2018-15453 Vulnerability Affects Cisco AsyncOS

A serious security vulnerability, identified as CVE-2018-15453, in Cisco AsyncOS. More precisely, the vulnerability is located in the Secure/Multipurpose Internet Mail Extensions (S/MIME) Decryption and Verification or S/MIME Public Key Harvesting features of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), as per the official advisory.

CVE-2018-15453 Technical Overview

The CVE-2018-15453 flaw could allow an unauthenticated, remote attack to cause a vulnerable device to corrupt system memory. Furthermore, a successful exploit could cause the filtering process to reload unexpectedly, which could lead to denial-of-service condition on the target device, Cisco explained.

Fortunately, fixes for the critical vulnerability are already available.

Related: [wplinkpreview url=”https://sensorstechforum.com/cve-2018-0448-cve-2018-15386-cisco-dna-software/”]CVE-2018-0448, CVE-2018-15386 in Cisco’s DNA Network Software, Patch Now

What is S/MIME? It is a protocol that enables users to digitally sign and encrypt email messages from an email client. The issue with the vulnerability is that threat actors could trigger a permanent DoS condition of a Cisco email security appliance by simply sending a malicious S/MIME-signed email using a target device. In other words, CVE-2018-15453 is triggered by improper validation of S/MIME-signed emails.

In addition:

If Decryption and Verification or Public Key Harvesting is configured, the filtering process could crash due to memory corruption and restart, resulting in a DoS condition. The software could then resume processing the same S/MIME-signed email, causing the filtering process to crash and restart again. A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA.

Who is vulnerable? CVE-2018-15453 affects all software versions prior to the first fixed release of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), both virtual and hardware appliances, if the software is configured for S/MIME Decryption and Verification or S/MIME Public Key Harvesting, the advisory says.

Software updates that fix the vulnerability are already available. Keep in mind that there are no workarounds.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree