Vulnerability in Cisco allows DoS attacks and network shutdown with just an email

The Cisco technology company has released a new cybersecurity report to disclose the remediation of a critical vulnerability the Cisco AsyncOS product zip decompression engine, for Cisco Email Security Appliance (ESA), tracked as CVE-2020-3134. According to the report, the flaw could allow an unauthenticated remote attacker to generate a denial of service (DoS) condition on an affected device.

In the report, the company mentions that the vulnerability exists due to incorrect validation of zip files. A threat actor could abuse this vulnerability by sending a message via email with a compressed file attached. If successfully exploited, the vulnerability would trigger a restart of the compressed content scanning process, resulting in the temporary DoS condition.

The Common Vulnerability Scoring System (CVSS) cybersecurity specialists assigned a score of 6.5/10 to the flaw, as it poses a threat to devices using this company product. The fix for this bug has already been released, although Cisco has issued some recommendations for users of out-of-date releases: “Cisco ESA 6.0.1 and earlier releases have stopped receiving software maintenance. Users of these versions are encouraged to migrate to a supported version, as they already have protection against this vulnerability,” the company’s notice says. In addition, the company mentions that there are no workarounds, so you need to install the updates.

In its cybersecurity alert, the company also recognized researchers Johan Andersstrom and Michael Venema for the vulnerability report. Although there are no reports of exploitation of this flaw in real-world scenarios, users are strongly advised to install the fixes as soon as possible and thus mitigate any exploitation risk, as it should not be forgotten that this is a critical security flaw. The full report on this flaw and its update patches is on the company’s official platforms.

According to the International Institute of Cyber Security (IICS), the latest set of updates released by Cisco includes fixes for 7 high severity vulnerabilities, plus 18 medium severity failures. Full information about this update is available on the official Cisco website.