Email Security

The DNS-based Authentication for Named Entities (DANE) is a new protocol that allows us to securely specify exactly which SSL/TLS certificate an application or service should be used to connect to our site.

Cisco’s AsyncOS Software for Cisco Email Security Appliance was having a vulnerability that allows an unauthenticated, remote attacker to cause a DoS (Denial of Service) condition on the affected device.

As Cisco stated, “This vulnerability is due to insufficient error handling in DNS name resolution by the affected software. An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device. A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS condition. Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition.”

An attacker can send a specially crafted email to exploit this vulnerability.

However, Cisco has released software patches for the vulnerability along with the details of a workaround to address this vulnerability.

Products Affected

Cisco ESA devices that run on a vulnerable release of Cisco AsyncOS Software which has the DANE feature enabled are prone to this attack. This also needs the downstream mail servers configured for sending bounce messages.

Cisco also highlighted that the DANE feature is not enabled by default.

How to Find if DANE is Configured?

In order to determine the status of DANE, check the UI page Mail Policies —> Destination 

Controls —> Add Destination to verify if DANE support option is enabled.

Products that are not Vulnerable

Cisco products with DANE not enabled are not affected by this vulnerability. Also, Cisco products Secure Email and Web Manager and the Web Security Appliance (WSA) are not affected by this vulnerability.

Free software updates were released by Cisco on this issue.

Fixed Releases

Cisco customers are advised to upgrade their software with fixed versions.

Cisco AsyncOS Software ReleaseFirst Fixed Release
12.5 and earlierMigrate to a fixed release.
13.013.0.3
13.513.5.4.102
14.014.0.2.020

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Guru Baran
Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
Facebook Linkedin