Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages.
The security flaw (tracked as CVE-2022-20653) was found in DNS-based Authentication of Named Entities (DANE), a Cisco AsyncOS Software component used by Cisco Secure Email to check emails for spam, phishing, malware, and other threats.
This bug is due to an insufficient error handling issue in DNS name resolution found and reported to Cisco by Rijksoverheid Dienst ICT Uitvoering (DICTU) security researchers.
“An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device,” Cisco explained.
“A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS [Denial-of-Service] condition.”
To make things even worse, continued attacks can cause the targeted devices to become completely unavailable, which results in a persistent DoS condition.
The company’s Product Security Incident Response Team (PSIRT) said that it found no evidence of malicious exploitation in the wild before the security advisory was published on Wednesday.
Vulnerable component not enabled by default
While the security vulnerability can be exploited remotely by unauthenticated attackers, Cisco says the vulnerable DANE email verification component is not enabled by default.
Admins can check if DANE is configured by going to the Mail Policies > Destination Controls > Add Destination web UI page and confirming whether the DANE Support option is toggled on.
Cisco has also confirmed that CVE-2022-20653 does not impact Web Security Appliance (WSA) and Secure Email and Web Manager or devices without the DANE feature enabled.
The company also provided a workaround requiring customers to configure bounce messages from Cisco ESA instead of from downstream dependent mail servers to block exploitation attempts.
Earlier this month, Cisco patched several maximum severity flaws with proof-of-concept exploit code available that would enable threat actors to take control of Small Business RV Series routers without authentication.