Cisco® Email Security Appliance (Cisco® ESA) Non-RFC MIME Format Executable Attachment Bypass (CSCvh03786) (CVE-2018-0419)

Author: Liam Romanis

In October 2017 InteliSecure were performing penetration testing activities for an important client.  One of the tasks involved performing tests against the client’s E-Mail content analysis systems. Various types of E-Mail were sent with attached executable files compressed and encrypted in various ways. These were blocked by the content analysis device, Cisco® Email Security Appliance (Cisco® ESA), previously known as Ironport.

In addition, E-Mails were sent with several types of malformed MIME formatting with executables attached in non-standard ways. One of these E-Mails passed by the executable blocking rules, which was reported to be an E-Mail without an attachment by Cisco® ESA, was accepted as a valid E-Mail with an executable attachment by Microsoft® Outlook. It was found that various other types of file could be sneaked past Cisco® ESA using the same method.  Interestingly, if the malicious email was then forwarded outside the organisation via Cisco ESA the same executable was blocked.

Whilst the CVSS3 score given by Cisco® in their advisory in August 2018 was 5.3, based on a minor integrity weakness in Cisco® ESA, the impact of this vulnerability could be greater given that malicious E-Mail is used to proliferate malware infected files, such as Trojans, Viruses and Ransomware. The exponential growth in E-Mail borne attacks has been observed since the beginnings of the Security Industry and is continuing to grow given the ease with which new malware can be developed using tools available on the Dark Web.

Cisco® ESA versions 10.0.0-203 and 11.0.0-264 are known to be affected however, Cisco has listed the issue as ‘Fixed’ but has not indicated where updated ESA software can be downloaded.

One interim workaround may be to create custom rules to looks for strings like ‘.exe’, ‘.com’, ‘.dll’, ‘.ps1’ and block E-Mails matching those however, due to Microsoft CreateNewProcess API executables with non-matching extensions may still execute.

InteliSecure recommends ensuring that endpoint security and Anti-Virus products be kept up to date. Application white listing should also be implemented so that users can only execute authorised executables. Additional Intrusion Detection or Intrusion Prevention devices could also be considered. To defend against ransomware, InteliSecure recommends that offline backups be taken of all important data.  If an incident occurs, backups should be scanned to ensure that files are not infected before they are restored.

Please refer to the Cisco Advisory for further information: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh03786

InteliSecure would like to thank our client for allowing us to pursue this vulnerability to try and encourage a fix to be produced.

InteliSecure would also like to thank the Cisco® developers and PSIRT for dealing with this issue rapidly.

If any organisations are unsure whether their Cisco ESA system is vulnerable InteliSecure would be happy to discuss this issue further.