Published on: 10 January 2019
Cisco released security advisories to address multiple vulnerabilities in Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) with either “URL Filtering as Global Setting” feature enabled or “S/MIME Decryption and Verification” configured. A remote attacker could exploit the vulnerabilities by sending a specially crafted email message to an affected system.
Cisco ESA running the Cisco AsyncOS Software prior to version 9.0, version 9.x, 10.x, 11.0.x and 11.1.x.
Successful exploitation of the vulnerabilities could lead to denial of service on an affected system.
Software updates for affected systems are now available. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. For detailed information of the available patches, please refer to the section "Fixed Software" of corresponding security advisory at vendor's website.
Users should contact their product support vendors for the fixes and assistance.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-esa-url-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-esa-dos
https://www.hkcert.org/my_url/en/alert/19011002
https://www.us-cert.gov/ncas/current-activity/2019/01/09/Cisco-Releases-Security-Updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15453
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15460