CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
64.4%
According to its self-reported version, the Cisco AsyncOS running on the remote Cisco Email Security (ESA) appliance is affected by an email filter bypass vulnerability in the email filtering functionality due to improper error handling when processing malformed Multipurpose Internet Mail Extension (MIME) headers that are present in an attachment. An unauthenticated, remote attacker can exploit this vulnerability, via email having a specially crafted MIME-encoded attached file, to bypass the Advanced Malware Protection (AMP) filter configuration. Note that in order to exploit this vulnerability, the AMP feature must be configured to scan incoming email attachments.
#TRUSTED 454b39d702c0d5594abce44a26fd8ae6c2e47ec2720c56a22c385c29ee247d9892c52a4d9bd796c3a454507fecd1aefd36a9561a8fc4da6b6e17a961a0c128ea07aee21ae5a972188663fbb346f70abea8457e89dfb14546351b69351f0e1521a01ad386b5e7e793afab2e587d0fee428484917f1d94999ee85becc7a9aa315c8b65681307a98e91befb5896c2cea0b824c3511e2e718a5e926f9fc0703cb1877ebfd2e9691e740658a68c2e42d4c6346accae39f1d5ebdaea5165acb5be9c64def99e26aa6692cf5a413ca7609052ba4116fb1cc8c887bfb8d08d1b52488fe2d8bf73a92c86dce19a5739820e982418f1a59a6ed9f67ac3da9e1b47ac2d90b2f4c54deef3147062d677b298d751def9bb38b798692b5780679b59f9d42e2ae04e24c372768551578fbf1ea34e0a13288f9d6dae9b13ce1fe322d4adf9295867c5a8a14eeae31b587fb57c7c55f1342a37ebce18439a83605c89f412c99c0df3825b639f863ed2731c3a3084933d401c30f2c9d93966fde23b262094b22e64e97668964a7d1fe21632eb2d01923d77ca20782ba841a215ec60748fb23dd3b8831524d9054dad4e49c40399f22f143662e113a263edee124555de7471b50eeccdc16316a882823dd0e6f6b053fc4a1e7a01237f7a19b843c0af6cd391d693128dff355d171923102f8c266f36935852fc7caf66c8d5bce4b9060c611e48f36ad2
#TRUST-RSA-SHA256 6289f71d83a45a87e5141a8bd831d320d85434125b60657775112af474dde6728dd91232839360ad375e614610fee28505fb029a3505e7243072c806d67eb67da9136f50d275570b266913d612331dbcfd300d488e81a1f51f911827e6e34343cc77f35a1694c1d76da34227cbf8622f1c90523e15632b8183d3a940a841b7bd93998e283e46871d18506efce3a2661f6b29550776f4604220483332a73750b5608e42c822c48474919b8770c07f898c9280a0f832f15089ac247eddc84bdb6afc0ab52343057e5ba3160a6d12fde97556c1bcfa7423d465626bd5408ffffe70324c978d88fbadbcc538c05557b0b79f7e7f8e892b21f4443be465cb58be76801b9d00eacc4a8e67abddf80a3654f77227c2c30e966c5b70efab944d21099e44253ce4c4d09fb371681a7e9eef601b1ce871aebbc01a5761e675246afb15e75dd029d23e73a130cf3f5f4d4ff189e46c8b203bed1273915b7e3394bef059ce9eb0989f5e422fd56b8ea33751aa0669a0d54710c76fa74585cc64e9b6f27912ce2db3db172526200e2f29984e1c140d8b85ac4e18312cb3658e8a1a49570d6ac0089a82b5876cac6b607113a4870c01672bce3c95a0f9f41f2f693f045ef682b53d81c8145e6f2ed97a5b569fdc7ccc1b633fba8de0ce397c74b9de37e08a8b1d42aa88f925d05ef80eba3e658545151d7363401d75abee1cb546aeb1c7367ae6
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(95479);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/05");
script_cve_id("CVE-2016-6462", "CVE-2016-6463");
script_bugtraq_id(94360, 94363);
script_xref(name:"CISCO-BUG-ID", value:"CSCva13456");
script_xref(name:"CISCO-SA", value:"cisco-sa-20161116-esa1");
script_xref(name:"CISCO-BUG-ID", value:"CSCuz85823");
script_xref(name:"CISCO-SA", value:"cisco-sa-20161116-esa2");
script_name(english:"Cisco AsyncOS for Email Security Appliances MIME Header Processing Filter Bypass (cisco-sa-20161116-esa1 / cisco-sa-20161116-esa2)");
script_summary(english:"Checks the ESA version.");
script_set_attribute(attribute:"synopsis", value:
"The remote security appliance is missing a vendor-supplied security
patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco AsyncOS running on
the remote Cisco Email Security (ESA) appliance is affected by an
email filter bypass vulnerability in the email filtering functionality
due to improper error handling when processing malformed Multipurpose
Internet Mail Extension (MIME) headers that are present in an
attachment. An unauthenticated, remote attacker can exploit this
vulnerability, via email having a specially crafted MIME-encoded
attached file, to bypass the Advanced Malware Protection (AMP) filter
configuration. Note that in order to exploit this vulnerability, the
AMP feature must be configured to scan incoming email attachments.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161116-esa1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?af6ae40f");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161116-esa2
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84d58db7");
script_set_attribute(attribute:"solution", value:
"Apply the relevant update referenced in Cisco Security Advisories
cisco-sa-20161116-esa1 or cisco-sa-20161116-esa2.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6463");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/16");
script_set_attribute(attribute:"patch_publication_date", value:"2016/11/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/02");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:email_security_appliance");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:email_security_appliance_firmware");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_esa_version.nasl");
script_require_keys("Host/AsyncOS/Cisco Email Security Appliance/DisplayVersion", "Host/AsyncOS/Cisco Email Security Appliance/Version");
script_require_ports("Host/local_checks_enabled");
exit(0);
}
include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");
display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Email Security Appliance/DisplayVersion');
ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Email Security Appliance/Version');
if (get_kb_item("Host/local_checks_enabled")) local_checks = TRUE;
else local_checks = FALSE;
ver_fixes = make_array(
# affected , # fixed
"9.7.0.125", "9.7.2-131",
"9.7.1.066", "9.7.2-131",
"10.0.0.082", "10.0.0-203",
"10.0.0.125", "10.0.0-203"
);
vuln = FALSE;
display_fix = NULL;
foreach affected (keys(ver_fixes))
{
if (ver == affected)
{
display_fix = ver_fixes[affected];
vuln = TRUE;
break;
}
}
if (isnull(display_fix))
audit(AUDIT_INST_VER_NOT_VULN, 'Cisco ESA', display_ver);
override = FALSE;
# If local checks are enabled, confirm whether AMP is configured to
# scan incoming email attachments. If local checks not enabled, only
# report if running a paranoid scan.
if (local_checks && vuln)
{
vuln = FALSE;
buf = cisco_command_kb_item("Host/Cisco/Config/ampconfig", "ampconfig");
if (check_cisco_result(buf) && preg(multiline:TRUE, pattern:"File Reputation: Enabled", string:buf))
vuln = TRUE;
else if (cisco_needs_enable(buf)) override = TRUE;
}
else if (!local_checks && report_paranoia < 2) vuln = FALSE;
if (vuln)
{
if (!local_checks) override = TRUE;
security_report_cisco(
port : 0,
severity : SECURITY_WARNING,
override : override,
version : display_ver,
bug_id : "CSCva13456/CSCuz85823",
fix : display_fix,
cmds : make_list("ampconfig")
);
}
else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco ESA', display_ver);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
64.4%