Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DoS Vulnerabilities. Show all posts

Malicious Emails have the Potential to Bring Down Cisco Email Security Appliances

 

Cisco notified customers this week that its Email Security Appliance (ESA) product is vulnerable to a high-severity denial of service (DoS) vulnerability that may be exploited using specially crafted emails. The CVE-2022-20653 vulnerability affects the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA. It is remotely exploitable and does not require authentication. 

This vulnerability is caused by the software's insufficient error handling in DNS name resolution. An attacker could take advantage of this flaw by sending specially crafted email messages to a device that is vulnerable. A successful exploit could allow the attacker to make the device unavailable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a denial of service (DoS) issue. Repeated attacks could render the gadget fully inoperable, resulting in a persistent DoS condition, said the company. 

This vulnerability affects Cisco ESA devices running a vulnerable version of Cisco AsyncOS Software with the DANE functionality enabled and downstream mail servers configured to deliver bounce messages. 

Customers can prevent exploitation of this vulnerability by configuring bounce messages from Cisco ESA rather than downstream reliant mail servers. While this workaround has been deployed and confirmed to be functional in a test environment, users should evaluate its relevance and efficacy in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation deployed may have a negative impact on network functioning or performance due to inherent customer deployment circumstances and limitations.

"Cisco has released free software updates that address the vulnerability described. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license," the company said. 

Cisco has given credit to numerous persons who worked with the Dutch government's ICT services company DICTU for reporting the security flaw. According to the networking behemoth, there is no evidence of malicious exploitation. 

Cisco also issued two advisories this week, informing users of medium-severity issues impacting Cisco RCM for Cisco StarOS software (DoS vulnerability), as well as Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (XSS vulnerability).

Critical RCE can Compromise Juniper Networks Devices

 

A critical vulnerability fixed as of late by networking and cybersecurity solutions supplier Juniper Networks could permit an attacker to remotely hijack or disrupt affected devices. The security hole, followed as CVE-2021-0254 and affecting the Junos operating system, was found by Nguyễn Hoàng Thạch, otherwise known as d4rkn3ss, a researcher with Singapore-based cybersecurity organization STAR Labs. 

The researcher disclosed to SecurityWeek that the vulnerability, which he says is the most serious bug he has ever distinguished in a Juniper product, was reported to the vendor more than half a year ago.

“A buffer size validation vulnerability in the overlayd service of Juniper Networks Junos OS may allow an unauthenticated remote attacker to send specially crafted packets to the device, triggering a partial Denial of Service (DoS) condition, or leading to remote code execution (RCE). Continued receipt and processing of these packets will sustain the partial DoS.” reads the security advisory published by the company. “The overlayd daemon handles Overlay OAM packets, such as ping and traceroute, sent to the overlay. The service runs as root by default and listens for UDP connections on port 4789. This issue results from improper buffer size validation, which can lead to a buffer overflow. Unauthenticated attackers can send specially crafted packets to trigger this vulnerability, resulting in possible remote code execution.” 

As per Nguyễn, an attacker who effectively exploits this vulnerability can acquire root admittance to the targeted system and afterward install a backdoor or configure the device “in any way they want.” The flaw can be exploited on its own and an assailant would not have to chain it with different vulnerabilities. 

Assaults from the internet are conceivable in theory, however, the vulnerable gadgets are normally not exposed to the web. The researcher believes that if such a system can be reached from the internet, it is likely misconfigured. 

The organization noticed that the overlays daemon runs naturally on MX and ACX series routers and QFX series switches. Different platforms are vulnerable if a Virtual Extensible LAN (VXLAN) overlay network is configured. Juniper said it had not known about any vindictive assaults exploiting this vulnerability, yet noticed that an assault can be dispatched against default configurations.

Snort Vulnerability Leads Various Cisco Products Exposed to Vulnerabilities

 


Earlier this week, the company told its customers that several Cisco products have been exposed to DoS (Denial of Service) attacks due to Snort detection engine vulnerability. Known as CVE-2021-1285, the flaw is rated high severity, and hackers can exploit it. The attacker must be on the layer 2 domain similar to the victim, as to compel a device to fall to a DoS attack via sending it specifically made Ethernet frames. As per Cisco, the flaw exists in the Ethernet Frame Decoder part of the Snort. 

The vulnerability affects all variants of the famous intrusion detection and intrusion prevention system (IDS/IPS) made before 2.9.17, which has a bug patch. According to Security Week, "Snort is an open-source tool developed by Cisco that provides real-time traffic analysis and packet logging capabilities. It has been downloaded millions of times and it has more than 600,000 registered users, with Cisco claiming that it’s the most widely deployed IPS in the world. The alpha version of Snort 3 was announced in December 2014 and now it has finally become generally available."

Catalyst Edge software and platform, 1000v series Cloud Services Router products, and Integrated Service Router (ISR) are said to be affected by the CVE-2021-1285. But they'll be affected only if they are using a version of Cisco UTD Snort IPS engine software that is vulnerable for IOS XE or Cisco UTD Engine for IOS XE SD-WAN, and if these are configured to pass through the Ethernet frames to Snort. According to Cisco, the flaw is linked to FTD (Firepower Threat Defense) issue that was patched in October last year. 

The vulnerabilities were found during solving a support case, however, no evidence has been found to point that these vulnerabilities were exploited in any attacks. Besides this, on Wednesday Cisco issued an advisory on few other vulnerabilities, of medium severe ratings. "These impact Webex, SD-WAN, ASR, Network Services Orchestrator, IP phones, and Email Security Appliance products, and they can lead to information disclosure, path traversal, authorization bypass, DoS attacks, privilege escalation, and SQL injection," says SecurityWeek.

Unpatched Linux Kernel Vulnerabilities Could Be Exploited For Local Dos




As of late two denial-of-service (DoS) vulnerabilities evaluated as ones with Medium severity, affected the Linux kernel 4.19.2 in addition to its previous versions. The two defects are NULL pointer deference issues that can be misused by even a local attacker if he or she wishes to trigger a DoS condition.

Tracked as CVE-2018-19406, the primary issue was observed to dwell in a Linux kernel function called kvm_pv_send_ipi, which is characterized in curve/x86/kvm/lapic.c. The defect is activated when the Advanced Programmable Interrupt Controller (APIC) delineate is not initialized correctly.
To abuse the security defect, a local attacker can utilize the already 'crafted' system calls to achieve a circumstance where the apic delineate remains uninitialized.

In a published blog post the Linux contributor Wanpeng Li reports:
“The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced”

The second vulnerability, which has been doled out the CVE number CVE-2018-19407, impacts the vcpu_scan_ioapic function that is characterized in curve/x86/kvm/x86.c. The bug is activated when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not instate effectively.

Further adds the security advisor “the vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.”

“The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed,” reads the analysis published by Wanpeng Li.

Albeit informal patches for the two blemishes were discharged in the informal Linux Kernel Mailing List (LKML) archive, however despite everything they haven't been pushed upstream.