Summary

• A vulnerability in the email filtering for malformed Multipurpose Internet Mail Extensions (MIME) headers of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to bypass the filtering functionality of the targeted device. Emails that should have been quarantined could instead be processed.
  
  The vulnerability is due to improper error handling when malformed MIME headers are present in the email attachment. An attacker could exploit this vulnerability by sending an email with a crafted attachment encoded with MIME. A successful exploit could allow the attacker to bypass the configured ESA email message and content filtering or WSA service scanning content for web access.
  
  Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
  
  This advisory is available at the following link:
  
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa2

Affected Products

• Vulnerable Products

  This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for Cisco ESA and Cisco WSA, both virtual and hardware appliances, that are configured with message or content filters to scan incoming email attachments on the ESA or services scanning content of web access on the WSA. The following example shows a configured message filter to scan files with .zip or .exe attachments:
  
  Test_Attachment_Rules:
      if attachment-filename == "(?i)\\.zip$" { log-entry("Rule attachment-filename found a .zip file"); }
      if attachment-filename == "(?i)\\.exe$" { log-entry("Rule attachment-filename found a .exe file"); }
      if attachment-filetype == "Compressed" { log-entry("Rule attachment-filetype found type Compressed"); }
      if attachment-filetype == "Executable" { log-entry("Rule attachment-filetype found type Executable"); }
  
  To determine which release of Cisco AsyncOS Software is running on an ESA, administrators can use the version command in the CLI. The following example shows the output of the version command for an ESA running Cisco AsyncOS Software Release 8.5.7-044:
  

  ciscoesa> version
  
  Current Version
  ===============
  Product: Cisco IronPort X1070 Messaging Gateway(tm) Appliance
  Model: X1070
  Version: 8.5.7-044
  .
  .
  .

  Note that Cisco provides regular maintenance of products in the Cisco Cloud Email Security (CES) service solution, which includes Cisco Email Security Appliances and Cisco Content Security Management Appliances. Customers can also request a software upgrade by contacting Cisco CES support.
  
  To determine whether a vulnerable version of Cisco AsyncOS Software is running on a Cisco WSA, administrators can use the version command in the WSA CLI. The following example shows the results for an appliance running Cisco AsyncOS Software version 8.5.3-051:
  

  ciscowsa> version
  
  Current Version
  
  ===============
  
  Product: Cisco IronPort S670 Web Security Appliance
  
  Model: S670
  
  Version: 8.5.3-051
  
  .
  
  .
  
  .

  
  

  Products Confirmed Not Vulnerable

  The following products are not vulnerable:
  

  • Cisco Security Mail Appliance, both virtual and hardware versions

  No other Cisco products are currently known to be affected by this vulnerability.

Details

• Duplicate Boundaries Verification
  
  Cisco Email Security Appliance can now detect messages with duplicate MIME boundaries and perform actions on them.
  
  Use the Duplicate Boundaries Verification content filter condition or the duplicate_boundaries message filter rule to detect messages with duplicate MIME boundaries.
  
  Example
  
  The following message filter will quarantine all the messages that contain duplicate MIME boundaries.
  
  DuplicateBoundaries: if (duplicate_boundaries) {
  quarantine("Policy"); }

Workarounds

• Workarounds that address this vulnerability are not available.
  

Fixed Software

• Cisco provides information about fixed software in Cisco bugs, which are accessible through the Cisco Bug Search Tool.
  
  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was found during resolution of a support case.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa2

Revision History

• Version	Description	Section	Status	Date
  1.1	Updated the Summary and Vulnerable Products descriptions.	Summary Vulnerable Products	Final	2016-October-28
  1.0	Initial public release.	—	Final	2016-October-26

  Show Less