Cisco released two security updates that fix vulnerabilities in its email security appliance (ESA) software.
One of the vulnerabilities (CVE-2018-15453) is rated critical and could result in memory corruption and lead to Denial of Service (DoS).
An excerpt of the vulnerability from the Cisco advisory:
“A vulnerability in the Secure/Multipurpose Internet Mail Extensions (S/MIME) Decryption and Verification or S/MIME Public Key Harvesting features of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an affected device to corrupt system memory. A successful exploit could cause the filtering process to unexpectedly reload, resulting in a denial of service (DoS) condition on the device.”
A second High severity patch addresses a a URL filtering DoS vulnerability (CVE-2018-15460).
“The vulnerability is due to improper filtering of email messages that contain references to whitelisted URLs. An attacker could exploit this vulnerability by sending a malicious email message that contains a large number of whitelisted URLs,” Cisco noted.
The patches should be applied as soon as possible.