Cisco released software updates for its Email Security Appliances (ESA) that fix nine holes.
The most serious, rated “high severity,” are three denial of service (DoS) flaws in the AsyncOS software for Cisco ESA. The vulnerabilities allow a remote, unauthenticated attacker to cause a DoS condition using specially crafted emails and malicious attachments.
CVE-2016-1481 and CVE-2016-6356 affect AsyncOS versions 8.0 and prior, 8.5, 9.0, 9.1, 9.5, 9.6, 9.7 and 10.0. Users should update their installations to versions 9.1.2-041, 9.7.2-065 or 10.0.0-203. The issue identified as CVE-2016-1486 only impacts versions 9.7 and 10.0.
The other vulnerabilities in ESA allows unauthenticated attackers to remotely cause a user to click on a malicious link, trigger a DoS condition, and bypass various filters. Some of these security holes also affect the networking giant’s Web Security Appliances.
All these flaws ended up discovered by Cisco during the resolution of support cases and there is no evidence any of them have been exploited for malicious purposes.
Cisco also alerted users about a critical unauthorized access vulnerability in the interdevice communications interface of the IP Interoperability and Collaboration System (IPICS) Universal Media Services (UMS).
The vulnerability allows a remote attacker to modify configuration parameters and cause the system to become unavailable.