Cisco AsyncOS Patch
Last Updated: 2014-03-21 00:16:12 UTC
by Johannes Ullrich (Version: 1)
Cisco released a patch for AsyncOS, the operating system used in it's E-Mail Security Appliance (ESA) and Security Management Appliance (SMA).
The vulnerability is exploited by an authenticated attacker uploading a crafted blocklist file. The file has to be uploaded via FTP, so this vulnerability is only exploitable if the FTP service is enabled. Once the blocklist is pared, arbitrary commands are executed.
This sounds like an OS command injection vulnerability. The parameters (assumed to be IP addresses) are likely passed as arguments to a firewall script, but if the address includes specific characters (usually ; or & ?) , additional commands can be executed.
Time to patch, but given that the attacker has to be authenticated, makes this a less severe vulnerability then other arbitrary code execution vulnerabilities.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute