Customers of Cisco’s Email Security Appliance (ESA) product were notified this week that the product is vulnerable to a high-severity denial of service (DoS) flaw that may be exploited with specially crafted emails.
The vulnerability, identified as CVE-2022-20653 affects the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA. It can be exploited without requiring authentication from a remote location.
According to Cisco’s advisory, the vulnerability is caused by insufficient error handling in DNS name resolution.
Patches and workarounds have been made available, and Cisco has recommended that users deploy them to avoid potential exploitation.