Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2528
Cisco Email and Web Security Appliance MIME Header Bypass Vulnerability
28 October 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Web Security Appliances (WSA)
Cisco Email Security Appliances (ESA)
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-6372 CVE-2016-1480
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa2
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa1
Comment: This bulletin contains two (2) Cisco Systems security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Security Advisory
Cisco Email and Web Security Appliance MIME Header Bypass Vulnerability
Medium
Advisory ID: cisco-sa-20161026-esawsa2
First Published: 2016 October 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs:
CSCuy54740
CSCuy75174
CVSS Score:
Base 5.0, Temporal 4.8
Base 5.0, Temporal 4.8 AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
CVE-2016-6372
CWE-20
Summary
A vulnerability in the email message and content filtering for malformed
Multipurpose Internet Mail Extensions (MIME) headers of Cisco AsyncOS Software
for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA)
could allow an unauthenticated, remote attacker to bypass the filtering
functionality of the targeted device. Emails that should have been quarantined
could instead be processed.
The vulnerability is due to improper error handling when malformed MIME
headers are present in the email attachment. An attacker could exploit this
vulnerability by sending an email with a crafted attachment encoded with MIME.
A successful exploit could allow the attacker to bypass the configured email
message and content filtering.
Cisco has released software updates that address this vulnerability.
Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa2
Affected Products
Vulnerable Products
This vulnerability affects all releases prior to the first fixed release of
Cisco AsyncOS Software for Cisco ESA and Cisco WSA on both virtual and
hardware appliances that are configured with message or content filters to
scan incoming email attachments. The following example shows a configured
message filter to scan files with .zip or .exe attachments:
Test_Attachment_Rules:
if attachment-filename == "(?i)\\.zip$" { log-entry("Rule
attachment-filename found a .zip file"); }
if attachment-filename == "(?i)\\.exe$" { log-entry("Rule
attachment-filename found a .exe file"); }
if attachment-filetype == "Compressed" { log-entry("Rule
attachment-filetype found type Compressed"); }
if attachment-filetype == "Executable" { log-entry("Rule
attachment-filetype found type Executable"); }
To determine which release of Cisco AsyncOS Software is running on an ESA,
administrators can use the version command in the CLI. The following example
shows the output of the version command for an ESA running Cisco AsyncOS
Software Release 8.5.7-044:
ciscoesa> version
Current Version
===============
Product: Cisco IronPort X1070 Messaging Gateway(tm) Appliance
Model: X1070
Version: 8.5.7-044
.
.
.
Note that Cisco provides regular maintenance of products in the Cisco Cloud
Email Security (CES) service solution, which includes Cisco Email Security
Appliances and Cisco Content Security Management Appliances. Customers can
also request a software upgrade by contacting Cisco CES support.
To determine whether a vulnerable version of Cisco AsyncOS Software is running
on a Cisco WSA, administrators can use the version command in the WSA CLI. The
following example shows the results for an appliance running Cisco AsyncOS
Software version 8.5.3-051:
ciscowsa> version
Current Version
===============
Product: Cisco IronPort S670 Web Security Appliance
Model: S670
Version: 8.5.3-051
.
.
.
Products Confirmed Not Vulnerable
The following products are not vulnerable:
Cisco Security Mail Appliance, both virtual and hardware versions
No other Cisco products are currently known to be affected by this
vulnerability.
Details
Duplicate Boundaries Verification
Cisco Email Security Appliance can now detect messages with duplicate MIME
boundaries and perform actions on them.
Use the Duplicate Boundaries Verification content filter condition or the
duplicate_boundaries message filter rule to detect messages with duplicate
MIME boundaries.
Example
The following message filter will quarantine all the messages that contain
duplicate MIME boundaries.
DuplicateBoundaries: if (duplicate_boundaries) {
quarantine("Policy"); }
Workarounds
Workarounds that address this vulnerability are not available.
Fixed Software
Cisco provides information about fixed software in Cisco bugs, which are
accessible through the Cisco Bug Search Tool.
When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade
solution.
In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release. If
the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance providers.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.
Source
This vulnerability was found during resolution of a support case.
URL
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa2
Revision History
Version Description Section Status Date
1.0 Initial public release. Final 2016-October-26
LEGAL DISCLAIMER
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end
users of Cisco products.
- ---
Cisco Security Advisory
Cisco Email and Web Security Appliance Malformed MIME Header Vulnerability
Medium
Advisory ID: cisco-sa-20161026-esawsa1
First Published: 2016 October 26 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs:
CSCuw03606
CSCux59734
CVSS Score:
Base 5.0, Temporal 4.4
Base 5.0, Temporal 4.4 AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C
CVE-2016-1480
CWE-20
Summary
A vulnerability in the Multipurpose Internet Mail Extensions (MIME) scanner of
Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) and Web
Security Appliances (WSA) could allow an unauthenticated, remote attacker to
bypass configured user filters on the device.
The vulnerability is due to improper error handling of a malformed MIME header
in an email attachment. An attacker could exploit this vulnerability by
sending an email with a crafted MIME attachment. For example, a successful
exploit could allow the attacker to bypass configured user filters to prevent
executable files from being opened. The malformed MIME headers may not be RFC
compliant but some mail clients could still allow users to access the
attachment, which may not have been properly filtered by the device.
Cisco has released software updates that address this vulnerability.
Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa1
Affected Products
Vulnerable Products
This vulnerability affects all releases prior to the first fixed release of
Cisco AsyncOS Software for Cisco ESA and Cisco WSA, both virtual and hardware
appliances, if the software is configured with message or content filters to
scan incoming email attachments. The following is an example of a configured
message filter to scan files with .zip or .exe attachments:
Test_Attachment_Rules:
if attachment-filename == "(?i)\\.zip$" { log-entry("Rule
attachment-filename found a .zip file"); }
if attachment-filename == "(?i)\\.exe$" { log-entry("Rule
attachment-filename found a .exe file"); }
if attachment-filetype == "Compressed" { log-entry("Rule
attachment-filetype found type Compressed"); }
if attachment-filetype == "Executable" { log-entry("Rule
attachment-filetype found type Executable"); }
To determine which release of Cisco AsyncOS Software is running on an ESA,
administrators can use the version command in the CLI. The following example
shows the output of the version command for an ESA running Cisco AsyncOS
Software Release 8.5.7-044:
ciscoesa> version
Current Version
===============
Product: Cisco IronPort X1070 Messaging Gateway(tm) Appliance
Model: X1070
Version: 8.5.7-044
.
.
.
Note that Cisco provides regular maintenance of products in the Cisco Cloud
Email Security (CES) service solution, which includes Cisco Email Security
Appliances and Cisco Content Security Management Appliances. Customers can
also request a software upgrade by contacting Cisco CES support.
To determine whether a vulnerable version of Cisco AsyncOS Software is running
on a Cisco WSA, administrators can use the version command in the WSA
command-line interface (CLI). The following example shows the results for an
appliance running Cisco AsyncOS Software version 8.5.3-051:
ciscowsa> version
Current Version
===============
Product: Cisco IronPort S670 Web Security Appliance
Model: S670
Version: 8.5.3-051
.
.
.
Products Confirmed Not Vulnerable
The following products are not vulnerable:
Cisco Security Mail Appliance, both virtual and hardware versions
No other Cisco products are currently known to be affected by this
vulnerability.
Details
Message Filter Rule to Detect Malformed MIME Headers
You can now take actions on messages with malformed MIME headers using the new
message filter rule malformed-header. The following example shows how to
quarantine all the messages with malformed MIME headers:
quarantine_malformed_headers: if (malformed-header)
{
quarantine("Policy");
}
Workarounds
Workarounds that address this vulnerability are not available.
Fixed Software
Cisco provides information about fixed software in Cisco bugs, which are
accessible through the Cisco Bug Search Tool.
When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade
solution.
In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release. If
the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance providers.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.
Source
This vulnerability was found during resolution of a support case.
URL
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa1
Revision History
Version Description Section Status Date
1.0 Initial public release. Final 2016-October-26
LEGAL DISCLAIMER
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end
users of Cisco products.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWBLZ8Yx+lLeg9Ub1AQhSqg/+L/3erqG84kptgnBlOibcQiehllkEYKDd
qhGcM1u6HDxzwG4cG+2HVsoW+0+UIlFTEVz0Wxf3pjAeO2GLISGctUuHSTIHC6qg
/1IUjvtmoZ9EvnBF2GdA9Ywlo8OtKhyKUBo5jCuBtCp4GPe/OeOToCyf0BHg1J1q
0YYYy28w+2FNCiSX+j5qUiOzxG1TR7BUHHLaybMSp3kF4vbZ4eIljt++EuB3p/gW
e9RSBlijm8/6hX5Lzn6GDWGk/uNu2Gno5fNy2uLDMzYzoH30IlSU0ttrSKt4HdhD
v0yjlnLTBdlbfexT/kakX/Jg39OirifzJ6U39CyBJccGdZD9S+OPMwEtxqmjxALA
jBXG8xkzYum9cdk/TcpPBpj1dmADUMmKMJOM7KhIg92fa6p39FygaVcdC0R3qJTv
j2l5RDdL9onpu/mLAp4fochGNe+NY++Sghk9DVLvrAvfqefvjilWU72l6egTVSjN
uo3UJbUmNnuIUNBOfgiphNJbMrhnOGvtD9OMgiri5sVh985CtgGxlgNXtAFCVL9i
T4vcMHHPen2jKj6kUnKRCA9qaY6J4poX3Q3KTicddsAk7E5e93QEExHItwbnhUEc
c7QQU6bvOJVkgMSQC8vsYQAf9opxmIMbJdr3bxO2jtkAhgd/gRCHygSOIZFdV39D
EtpARi7ppTk=
=jlFA
-----END PGP SIGNATURE-----