CVE-2022-20653

Name of the Vulnerable Software and Affected Versions Cisco Email Security Appliance (ESA) versions prior to Cisco AsyncOS Software Release 13.5.4.102

Description A vulnerability in the DNS-based Authentication of Named Entities (DANE) email verification component could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This is due to insufficient error handling in DNS name resolution by the affected software. An attacker could exploit this by sending specially formatted email messages that are processed by an affected device, causing the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS condition. Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition.

Recommendations For Cisco Email Security Appliance (ESA) versions prior to Cisco AsyncOS Software Release 13.5.4.102, update to Cisco AsyncOS Software Release 13.5.4.102 or later to resolve the issue. As a temporary workaround, consider configuring the Cisco ESA to send bounce messages instead of relying on downstream dependent mail servers, and verify if DANE is enabled by checking the Mail Policies > Destination Controls > Add Destination page in the web interface and ensuring the DANE Support parameter is not enabled.