Cisco Security Advisory
Cisco Email Security Appliance Internal Testing Interface Vulnerability
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:C
-
A vulnerability in Cisco IronPort AsyncOS for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to obtain complete control of an affected device.
The vulnerability is due to the presence of a Cisco internal testing and debugging interface (intended for use during product manufacturing only) on customer-available software releases. An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an attacker to obtain complete control of an affected device with root-level privileges.
Cisco has released software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160922-esa
-
Vulnerable Products
Cisco ESA physical and virtual devices running any of the following software releases are affected by this vulnerability:
- 9.1.2-023
- 9.1.2-028
- 9.1.2-036
- 9.7.2-046
- 9.7.2-047
- 9.7-2-054
- 10.0.0-124
- 10.0.0-125
ciscoesa> version
Current Version
===============
Product: Cisco IronPort X1070 Messaging Gateway(tm) Appliance
Model: X1070
Version: 8.5.7-044
.
.
.
Cisco Cloud Email Security (CES) includes the ESA and the Security Management Appliance (SMA) as part of the service solution. Cisco provides regular maintenance of the products included in this solution. Customers can also request a software upgrade by contacting Cisco CES support.Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following products:
- Cloud Email Security (CES) service
- Content Security Management Appliance (SMA) - virtual and physical devices
- Web Security Appliance (WSA) - virtual and physical devices
-
A vulnerability in Cisco IronPort AsyncOS for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to obtain complete control of an affected device.
The vulnerability is due to the presence of a Cisco internal testing and debugging interface (intended for use during product manufacturing only) on customer-available software releases. An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an attacker to obtain complete control of an affected device with root-level privileges.
Only Cisco ESA devices that meet all of the following conditions are affected by this vulnerability:
- The device is running one of the previously listed affected software releases, and
- The device has been rebooted at most once since one of the previously listed affected software releases was installed, and
- The device's Enrollment Client component version is earlier than version 1.0.2-065
On Friday, September 15, 2016, Cisco Systems made available an Enrollment Client update for ESA devices. This update, once installed, disabled the internal testing interface. Any ESA device running one of the previously listed affected software releases but with this update installed is not affected by this vulnerability.
In order to verify if an ESA device downloaded and installed the update, execute the ecstatus command. The following example shows an ESA appliance with an Enrollment Client version of 1.0.2-062:
ciscoesa> ecstatus Component Version Last Updated Enrollment Client 1.0.2-062 30 Aug 2016 12:21 (GMT +00:00) ciscoesa>
-
No customer-accessible indicators of compromise are available for this vulnerability.
-
The debugging and testing interface can be disabled by rebooting an affected device. In order to reboot an ESA device, issue the reboot command from the CLI. The interface will be permanently disabled and unavailable once the device has finished rebooting.
Customers concerned about the effectiveness of the workaround should open a support case with their support organization to verify the testing interface has effectively been disabled.
-
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html.
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate release as indicated in the following table:
AsyncOS ESA Major Release First Fixed Release 9.1.2 9.1.2-041 9.7.2 9.7.2-065 10.0.0 10.0.0-203
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was found during the resolution of a support case.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.2 Added fixed software information Fixed Software Final 2016-October-04 1.1 Added fixed software information Summary, Fixed Software Final 2016-September-28 1.0 Initial public release - Interim 2016-September-22
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.