The Cisco technology company has released a new cybersecurity report to disclose the remediation of a critical vulnerability the Cisco AsyncOS product zip decompression engine, for Cisco Email Security Appliance (ESA), tracked as CVE-2020-3134. According to the report, the flaw could allow an unauthenticated remote attacker to generate a denial of service (DoS) condition on an affected device.
In the report, the company mentions that the
vulnerability exists due to incorrect validation of zip files. A threat actor
could abuse this vulnerability by sending a message via email with a compressed
file attached. If successfully exploited, the vulnerability would trigger a
restart of the compressed content scanning process, resulting in the temporary DoS
The Common Vulnerability Scoring System (CVSS) cybersecurity specialists assigned a score of 6.5/10 to the flaw, as it poses a threat to devices using this company product. The fix for this bug has already been released, although Cisco has issued some recommendations for users of out-of-date releases: “Cisco ESA 6.0.1 and earlier releases have stopped receiving software maintenance. Users of these versions are encouraged to migrate to a supported version, as they already have protection against this vulnerability,” the company’s notice says. In addition, the company mentions that there are no workarounds, so you need to install the updates.
In its cybersecurity alert, the company also
recognized researchers Johan Andersstrom and Michael Venema for the vulnerability
report. Although there are no reports of exploitation of this flaw in
real-world scenarios, users are strongly advised to install the fixes as soon
as possible and thus mitigate any exploitation risk, as it should not be
forgotten that this is a critical security flaw. The full report on this flaw
and its update patches is on the company’s official platforms.
According to the International Institute of
Cyber Security (IICS), the latest set of updates released by Cisco includes
fixes for 7 high severity vulnerabilities, plus 18 medium severity failures.
Full information about this update is available on the official Cisco website.