Main Vulnerability Database Vulnerabilities #VU25479

Input validation error in Cisco AsyncOS for Cisco Email Security Appliance - CVE-2019-12706

Published: February 20, 2020

Vulnerability identifier: #VU25479

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-12706

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
Cisco AsyncOS for Cisco Email Security Appliance

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass the configured user filters on an affected device.

The vulnerability exists within the Sender Policy Framework (SPF) functionality due to the affected software insufficiently validates certain incoming SPF messages. A remote attacker can send a custom SPF packet to an affected device and bypass the configured header filters, which could allow malicious content to pass through the device.

How to mitigate CVE-2019-12706

Install updates from vendor's website.

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-esa-bypass

Input validation error in Cisco AsyncOS for Cisco Email Security Appliance - CVE-2019-12706

Detailed vulnerability description

How to mitigate CVE-2019-12706

Sources

Please verify you're human