A vulnerability in Cisco AsyncOS Software for Cisco Email Security Appliance (ESADNS-based )’s Authentication of Named Entities (DANE) email verification component might allow an unauthenticated, remote attacker to cause a (DoS) issue on an affected device.
An attacker could take advantage of this flaw by sending specially crafted email messages to a device that is vulnerable. An attacker might leverage a successful exploit to make the device unavailable through management interfaces or process additional email messages for a period of time until the device recovers, resulting in a DoS problem. If the attacks continue, the device may become fully unusable, resulting in data loss.
Researchers reported that ,” A successful exploit could allow the attacker to make the device unavailable through management interfaces for a period of time until the device recovers, resulting in a DoS condition , the company noted in an alert. Continued attacks could render the device fully unusable, resulting in a chronic DoS situation.“
Separately, the networking equipment maker patched two more flaws in its Prime Infrastructure and Evolved Programmable Network Manager and Redundancy Configuration Manager that may allow an attacker to run shellcode and cause a denial-of-service attack .
The flaw, dubbed CVE-2022-20653 (CVSS score: 7.5), is caused by a lack of error handling in DNS name resolution, which might be exploited by an unauthorised, remote attacker to send a specially crafted email message and trigger a DoS.
CVE-2022-20659 (CVSS score: 6.1) – Cisco Prime Infrastructure and Evolved Programmable Network Manager cross-site scripting (XSS) vulnerability
CVE-2022-20750 (CVSS score: 5.3) – Cisco Redundancy Configuration Manager for Cisco StarOS Software TCP denial-of-service (DoS) vulnerability.
Finally the researchers concluded that ,” The updates come only weeks after Cisco released patches for a slew of major security flaws affecting its RV Series routers, some of which had the maximum possible CVSS severity score of 10 and could be exploited to escalate privileges and run arbitrary code on impacted systems.“