The Cisco technology company has published a cybersecurity report to report the correction of a critical vulnerability to the Cisco AsyncOS product decompression engine, Cisco Email Security Appliance (ESA), identified as CVE-2020-3134. According to this report, an unauthenticated remote attacker could be allowed to generate a denial of service (DoS) condition on an affected device.
It is mentioned that the vulnerability exists due to incorrect validation of zip files. A hacker could use this vulnerability by sending a message via email with a compressed file attached. The vulnerability would trigger a restart of the process of scanning the compressed content, resulting in the temporary DoS condition.
The cybersecurity specialists of the Common Vulnerability Scoring System (CVSS) assigned to this failure a score of 6.5 / 10, as it represents a threat to the devices that use this Cisco product.
As of correcting these attacks in time, an update has already been released, although Cisco has issued some recommendations for users of outdated versions:
“Cisco ESA versions 6.0.1 and earlier have stopped receiving software maintenance. Users of these versions are recommended to migrate to a compatible version, since they already have protection against this vulnerability. â€
In addition, the company mentions that there are no alternative solutions, so it is necessary to install the updates.
In the cybersecurity report, the company also recognized researchers Johan Anderström and Michael Venema for the vulnerability report.
Although there are no reports of exploitation of this fault in real scenarios, users are strongly advised to install the corrections as soon as possible and thus mitigate any risk of exploitation, as it should not be forgotten that it is a failure of Critical Security
The full report on this fault and its update patches is found on the official company platforms.
According to the International Cyber Security Institute (IICS), the most recent set of updates released by Cisco includes corrections for 7 high severity vulnerabilities, in addition to 18 medium severity failures. Full information about this update is available on the official Cisco website.
