Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2528 Cisco Email and Web Security Appliance MIME Header Bypass Vulnerability 28 October 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Web Security Appliances (WSA) Cisco Email Security Appliances (ESA) Publisher: Cisco Systems Operating System: Cisco Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-6372 CVE-2016-1480 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa2 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa1 Comment: This bulletin contains two (2) Cisco Systems security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Security Advisory Cisco Email and Web Security Appliance MIME Header Bypass Vulnerability Medium Advisory ID: cisco-sa-20161026-esawsa2 First Published: 2016 October 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCuy54740 CSCuy75174 CVSS Score: Base 5.0, Temporal 4.8 Base 5.0, Temporal 4.8 AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE-2016-6372 CWE-20 Summary A vulnerability in the email message and content filtering for malformed Multipurpose Internet Mail Extensions (MIME) headers of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to bypass the filtering functionality of the targeted device. Emails that should have been quarantined could instead be processed. The vulnerability is due to improper error handling when malformed MIME headers are present in the email attachment. An attacker could exploit this vulnerability by sending an email with a crafted attachment encoded with MIME. A successful exploit could allow the attacker to bypass the configured email message and content filtering. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa2 Affected Products Vulnerable Products This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for Cisco ESA and Cisco WSA on both virtual and hardware appliances that are configured with message or content filters to scan incoming email attachments. The following example shows a configured message filter to scan files with .zip or .exe attachments: Test_Attachment_Rules: if attachment-filename == "(?i)\\.zip$" { log-entry("Rule attachment-filename found a .zip file"); } if attachment-filename == "(?i)\\.exe$" { log-entry("Rule attachment-filename found a .exe file"); } if attachment-filetype == "Compressed" { log-entry("Rule attachment-filetype found type Compressed"); } if attachment-filetype == "Executable" { log-entry("Rule attachment-filetype found type Executable"); } To determine which release of Cisco AsyncOS Software is running on an ESA, administrators can use the version command in the CLI. The following example shows the output of the version command for an ESA running Cisco AsyncOS Software Release 8.5.7-044: ciscoesa> version Current Version =============== Product: Cisco IronPort X1070 Messaging Gateway(tm) Appliance Model: X1070 Version: 8.5.7-044 . . . Note that Cisco provides regular maintenance of products in the Cisco Cloud Email Security (CES) service solution, which includes Cisco Email Security Appliances and Cisco Content Security Management Appliances. Customers can also request a software upgrade by contacting Cisco CES support. To determine whether a vulnerable version of Cisco AsyncOS Software is running on a Cisco WSA, administrators can use the version command in the WSA CLI. The following example shows the results for an appliance running Cisco AsyncOS Software version 8.5.3-051: ciscowsa> version Current Version =============== Product: Cisco IronPort S670 Web Security Appliance Model: S670 Version: 8.5.3-051 . . . Products Confirmed Not Vulnerable The following products are not vulnerable: Cisco Security Mail Appliance, both virtual and hardware versions No other Cisco products are currently known to be affected by this vulnerability. Details Duplicate Boundaries Verification Cisco Email Security Appliance can now detect messages with duplicate MIME boundaries and perform actions on them. Use the Duplicate Boundaries Verification content filter condition or the duplicate_boundaries message filter rule to detect messages with duplicate MIME boundaries. Example The following message filter will quarantine all the messages that contain duplicate MIME boundaries. DuplicateBoundaries: if (duplicate_boundaries) { quarantine("Policy"); } Workarounds Workarounds that address this vulnerability are not available. Fixed Software Cisco provides information about fixed software in Cisco bugs, which are accessible through the Cisco Bug Search Tool. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source This vulnerability was found during resolution of a support case. URL http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa2 Revision History Version Description Section Status Date 1.0 Initial public release. Final 2016-October-26 LEGAL DISCLAIMER THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --- Cisco Security Advisory Cisco Email and Web Security Appliance Malformed MIME Header Vulnerability Medium Advisory ID: cisco-sa-20161026-esawsa1 First Published: 2016 October 26 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCuw03606 CSCux59734 CVSS Score: Base 5.0, Temporal 4.4 Base 5.0, Temporal 4.4 AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C CVE-2016-1480 CWE-20 Summary A vulnerability in the Multipurpose Internet Mail Extensions (MIME) scanner of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to bypass configured user filters on the device. The vulnerability is due to improper error handling of a malformed MIME header in an email attachment. An attacker could exploit this vulnerability by sending an email with a crafted MIME attachment. For example, a successful exploit could allow the attacker to bypass configured user filters to prevent executable files from being opened. The malformed MIME headers may not be RFC compliant but some mail clients could still allow users to access the attachment, which may not have been properly filtered by the device. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa1 Affected Products Vulnerable Products This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for Cisco ESA and Cisco WSA, both virtual and hardware appliances, if the software is configured with message or content filters to scan incoming email attachments. The following is an example of a configured message filter to scan files with .zip or .exe attachments: Test_Attachment_Rules: if attachment-filename == "(?i)\\.zip$" { log-entry("Rule attachment-filename found a .zip file"); } if attachment-filename == "(?i)\\.exe$" { log-entry("Rule attachment-filename found a .exe file"); } if attachment-filetype == "Compressed" { log-entry("Rule attachment-filetype found type Compressed"); } if attachment-filetype == "Executable" { log-entry("Rule attachment-filetype found type Executable"); } To determine which release of Cisco AsyncOS Software is running on an ESA, administrators can use the version command in the CLI. The following example shows the output of the version command for an ESA running Cisco AsyncOS Software Release 8.5.7-044: ciscoesa> version Current Version =============== Product: Cisco IronPort X1070 Messaging Gateway(tm) Appliance Model: X1070 Version: 8.5.7-044 . . . Note that Cisco provides regular maintenance of products in the Cisco Cloud Email Security (CES) service solution, which includes Cisco Email Security Appliances and Cisco Content Security Management Appliances. Customers can also request a software upgrade by contacting Cisco CES support. To determine whether a vulnerable version of Cisco AsyncOS Software is running on a Cisco WSA, administrators can use the version command in the WSA command-line interface (CLI). The following example shows the results for an appliance running Cisco AsyncOS Software version 8.5.3-051: ciscowsa> version Current Version =============== Product: Cisco IronPort S670 Web Security Appliance Model: S670 Version: 8.5.3-051 . . . Products Confirmed Not Vulnerable The following products are not vulnerable: Cisco Security Mail Appliance, both virtual and hardware versions No other Cisco products are currently known to be affected by this vulnerability. Details Message Filter Rule to Detect Malformed MIME Headers You can now take actions on messages with malformed MIME headers using the new message filter rule malformed-header. The following example shows how to quarantine all the messages with malformed MIME headers: quarantine_malformed_headers: if (malformed-header) { quarantine("Policy"); } Workarounds Workarounds that address this vulnerability are not available. Fixed Software Cisco provides information about fixed software in Cisco bugs, which are accessible through the Cisco Bug Search Tool. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source This vulnerability was found during resolution of a support case. URL http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa1 Revision History Version Description Section Status Date 1.0 Initial public release. Final 2016-October-26 LEGAL DISCLAIMER THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWBLZ8Yx+lLeg9Ub1AQhSqg/+L/3erqG84kptgnBlOibcQiehllkEYKDd qhGcM1u6HDxzwG4cG+2HVsoW+0+UIlFTEVz0Wxf3pjAeO2GLISGctUuHSTIHC6qg /1IUjvtmoZ9EvnBF2GdA9Ywlo8OtKhyKUBo5jCuBtCp4GPe/OeOToCyf0BHg1J1q 0YYYy28w+2FNCiSX+j5qUiOzxG1TR7BUHHLaybMSp3kF4vbZ4eIljt++EuB3p/gW e9RSBlijm8/6hX5Lzn6GDWGk/uNu2Gno5fNy2uLDMzYzoH30IlSU0ttrSKt4HdhD v0yjlnLTBdlbfexT/kakX/Jg39OirifzJ6U39CyBJccGdZD9S+OPMwEtxqmjxALA jBXG8xkzYum9cdk/TcpPBpj1dmADUMmKMJOM7KhIg92fa6p39FygaVcdC0R3qJTv j2l5RDdL9onpu/mLAp4fochGNe+NY++Sghk9DVLvrAvfqefvjilWU72l6egTVSjN uo3UJbUmNnuIUNBOfgiphNJbMrhnOGvtD9OMgiri5sVh985CtgGxlgNXtAFCVL9i T4vcMHHPen2jKj6kUnKRCA9qaY6J4poX3Q3KTicddsAk7E5e93QEExHItwbnhUEc c7QQU6bvOJVkgMSQC8vsYQAf9opxmIMbJdr3bxO2jtkAhgd/gRCHygSOIZFdV39D EtpARi7ppTk= =jlFA -----END PGP SIGNATURE-----