Remote Code Execution Vulnerability in Cisco Email Security Appliance and Web Security Appliance
CVE-2016-1411

5.9MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco AsyncOS
Vendor: CVE Published:; 14 December 2016

Summary

A flaw exists in the update functionality of Cisco AsyncOS Software used in Cisco Email Security Appliance (ESA) and Cisco Web Security Appliance (WSA) that allows an unauthenticated remote attacker to impersonate the update server. This may lead to unauthorized access, allowing attackers to execute malicious updates or code. Several versions are affected, and it is crucial for users to apply the recommended fixes available in the newer releases.

Affected Version(s)

Cisco AsyncOS Cisco AsyncOS

References

https://tools.cisco.com/security/center/content/CiscoSecu...

x_refsource_CONFIRM

http://www.securityfocus.com/bid/94791

vdb-entryx_refsource_BID

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 14, 2016
Vulnerability Reserved
Jan 4, 2016