Cisco email appliances have a brickable vulnerability

Cisco’s Email Security Appliances (ESAs) can be bricked because of a bug in how they verify incoming emails.

The ESAs use DNS-based Authentication of Named Entities (DANE) to create a secure connection for email transmission, in the AsyncOS software they run.

What Cesare Auteri, Steven Geerts, John-Paul Straver, and Roy Wiss of Rijksoverheid Dienst ICT Uitvoering discovered was that the DANE implementation has insufficient error handling in its DNS name resolution (CVE-2022-20653). 

“A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS condition," the Cisco advisory says.

It gets worse: repeated attacks “could cause the device to become completely unavailable, resulting in a persistent DoS condition”. In other words, an attacker could potentially brick the target device.

As well as running a vulnerable version of AsyncOS, the advisory explained that for a target to be attackable, the downstream mail servers have to be configured to send bounce messages.

AsyncOS versions 12.5 and earlier; 13.0, 13.5, and 14.0 are vulnerable. The three newer versions have patches available, but users on pre-12.5 software versions will need to update to a fixed release.

The company had two other patch announcements, for bugs rated medium-severity.

Cisco’s Redundancy Configuration Manager for StarOS can be force-restarted if an attacker sends it malformed TCP data (CVE-2022-20750). Patched software is available.

Finally, a cross-site scripting vulnerability (CVE-2022-20659) allowing attacks against users has been fixed in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager.