Cisco has found a high-criticality vulnerability that could allow remote attackers to crash Cisco secure email devices using maliciously crafted email messages.
The vulnerability CVE-2022-20653 describes that the DNS-based named entity authentication (DANE) email verification component of the Cisco AsyncOS for Cisco Email Security Appliance (ESA) software could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. It should be noted that the DANE feature is not enabled by default.
This weakness is due to insufficient error handling in DNS name resolution by the affected software. An attacker could exploit this vulnerability by sending specially formatted emails that are processed by the affected device. Successful exploitation could allow the attacker to render the device unreachable from management interfaces or process additional email messages for some time until the device recovers, resulting in a DoS condition or event. Persistent attacks could render the device completely inaccessible.
DANE Configuration
Although the security vulnerability can be exploited remotely by unauthenticated attackers, Cisco says the vulnerable DANE email verification component is not enabled by default.
Administrators can check if DANE is configured over the Mail Policies > Destination Controls > Add Destination web interface and confirm if the DANE Support option is enabled.
Cisco has also confirmed that CVE-2022-20653 does not affect Web Security Appliance (WSA) and Secure Email and Web Manager or devices without the DANE feature enabled.
CVE-2022-20653
Although the security vulnerability can be exploited remotely by unauthenticated attackers, Cisco says the vulnerable DANE email verification component is not enabled by default.
Administrators can check whether DANE is configured over the Mail Policies > Destination Controls > Add Destination web interface and confirm whether the DANE Support option is enabled.
Cisco has also confirmed that CVE-2022-20653 does not affect Web Security Appliance (WSA) and Secure Email and Web Manager or devices without the DANE feature enabled.
Recommendations
- Verify that the DANE feature on your devices is disabled.
- Upgrade to an appropriate fixed software version, as indicated in the following tables:
Use cases *:
- Tracking activities of a possible
- Zero-Day Attack
- Phishing Prevention & Anti-spam Protection
- Possible DNS connection or unauthorized DNS Server
- Possible DoS activity on the network
*To have these detections the customer needs to have contracted SOC services.
For more information you can consult the following sources associated with the news:
- https://securityaffairs.co/wordpress/128131/hacking/cisco-esa-dos.html
- https://www.bleepingcomputer.com/news/security/hackers-can-crash-cisco-secure-email-gateways-using-malicious-emails/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-MxZvGtgU
- https://www.cisa.gov/uscert/ncas/current-activity/2022/02/17/cisco-releases-security-updates-email-security-appliance
- https://www.securityweek.com/malicious-emails-can-crash-cisco-email-security-appliances
- https://www.itnews.com.au/news/cisco-email-appliances-have-a-brickable-vulnerability-576199
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20653