Denial of service in Cisco Email Security Appliance and Cisco AsyncOS for Cisco Email Security Appliance - CVE-2016-1481

Vulnerability identifier: #VU1080

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-1481

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
Cisco Email Security Appliance
Cisco AsyncOS for Cisco Email Security Appliance

The vulnerability allows a remote unauthenticated user to cause memory exhaustion on the target system.
The weakness is due to insufficient validation if input data. By sending email message with a specially crafted Design (DGN) file attachment, attackers can consume excessive memory during message filtering, causing the process to restart.
Successful exploitation of the vulnerability may lead to denial of service on the vulnerable system.

Update to version 9.1.1-038, 9.7.1-066, 10.0.0-124.

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esa1