Cisco ESA products are affected by a DoS vulnerability, tracked as CVE-2022-20653, that resides in the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA.
A remote, unauthenticated attacker can trigger the flaw by sending specially crafted emails to vulnerable devices.
The flaw is caused by insufficient error handling in DNS name resolution, the advisory pointed out that continued attacks could trigger a persistent DoS condition.
“This vulnerability is due to insufficient error handling in DNS name resolution by the affected software. An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device. A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS condition.” reads the advisory published by Cisco. “Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition.”
The issue only impacts Cisco ESA products running AsyncOS Software with the DANE feature (which is disabled by default) enabled and with the downstream mail servers configured to send bounce messages.
“To determine whether DANE is configured, check the web UI page Mail Policies > Destination Controls > Add Destination and verify whether the DANE Support option is enabled.” continues the advisory.
The company released security patches (Cisco AsyncOS Software Release 22.214.171.124) and also workarounds to address the vulnerability. In order to prevent the exploitation of this bug, customers may configure bounce messages from Cisco ESA instead of from downstream dependent mail servers.
The following table reports appropriate fixed software releases that fix this issue:
|Cisco AsyncOS Software Release||First Fixed Release|
|12.5 and earlier||Migrate to a fixed release.|
The vulnerability was reported by Cesare Auteri, Steven Geerts, John-Paul Straver, and Roy Wiss of Rijksoverheid Dienst ICT Uitvoering (DICTU).
The good news is that Cisco PSIRT is not aware of attacks exploiting this issue in the wild.
(SecurityAffairs – hacking, CISCO ESA)