Cisco fixes serious vulnerabilities in email, Web and content security appliances

[InfoSec News <alerts () infosecnews org>]

https://www.computerworld.com/s/article/9240406/Cisco_fixes_serious_vulnerabilities_in_email_Web_and_content_security_appliances

By Lucian Constantin
IDG News Service
June 27, 2013

Cisco Systems released security patches for its email, Web and content 
security appliances in order to address vulnerabilities that could allow 
attackers to execute commands on the underlying OS or disrupt critical 
processes.

The vulnerabilities affect different versions of the Cisco IronPort 
AsyncOS operating system that's used in the Cisco Content Security 
Management Appliance, the Cisco Email Security Appliance and the Cisco Web 
Security Appliance.

Releases 7.1 and prior, 7.3, 7.5 and 7.6 of the software in the Cisco 
Email Security Appliance are affected by three vulnerabilities, one that 
allows remote attackers to inject and execute commands with elevated 
privileges through the Web interface and two that could be used to crash 
the management graphical user interface (GUI) or the IronPort Spam 
Quarantine service and cause other critical processes to become 
unresponsive.

Exploiting the command injection vulnerability requires authentication via 
the Web interface with at least a low privilege account, but the 
denial-of-service vulnerabilities can be exploited remotely without 
authentication.

[...]



--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/