Details of VAR-201608-0238

ID

VAR-201608-0238

CVE

CVE-2016-1461

TITLE

Cisco E Email Security The appliance Run on device AsyncOS Vulnerabilities that prevent malware detection

Trust: 0.8

sources: JVNDB: JVNDB-2016-004106

DESCRIPTION

Cisco AsyncOS on Email Security Appliance (ESA) devices through 9.7.0-125 allows remote attackers to bypass malware detection via a crafted attachment in an e-mail message, aka Bug ID CSCuz14932. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCuz14932

Trust: 1.89

sources: NVD: CVE-2016-1461 // JVNDB: JVNDB-2016-004106 // BID: 92155

AFFECTED PRODUCTS

vendor:	cisco	model:	asyncos	scope:	lte	version:	9.7.0-125	Trust: 1.8
vendor:	cisco	model:	e email security the appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisca	model:	email security appliance	scope:	eq	version:	9.6.0-051	Trust: 0.6
vendor:	cisca	model:	email security appliance	scope:	eq	version:	7.6.3-025	Trust: 0.6
vendor:	cisca	model:	email security appliance	scope:	eq	version:	9.7.0-125	Trust: 0.6
vendor:	cisca	model:	email security appliance	scope:	eq	version:	8.5.0-er1-198	Trust: 0.6
vendor:	cisca	model:	email security appliance	scope:	eq	version:	7.5.2-201	Trust: 0.6
vendor:	cisca	model:	email security appliance	scope:	eq	version:	8.0.1-023	Trust: 0.6
vendor:	cisca	model:	email security appliance	scope:	eq	version:	9.1.0-011	Trust: 0.6
vendor:	cisca	model:	email security appliance	scope:	eq	version:	9.4.0	Trust: 0.6
vendor:	cisca	model:	email security appliance	scope:	eq	version:	9.4.4-000	Trust: 0.6
vendor:	cisca	model:	email security appliance	scope:	eq	version:	7.1.0	Trust: 0.6
vendor:	cisco	model:	email security appliance	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	asyncos	scope:	eq	version:	-	Trust: 0.3

sources: BID: 92155 // JVNDB: JVNDB-2016-004106 // CNNVD: CNNVD-201607-1032 // NVD: CVE-2016-1461

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1461
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-1461
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201607-1032
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2016-1461
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2016-1461
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

nvd@nist.gov:	CVE-2016-1461
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2016-1461
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2016-004106 // CNNVD: CNNVD-201607-1032 // NVD: CVE-2016-1461

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2016-004106 // NVD: CVE-2016-1461

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201607-1032

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201607-1032

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004106

PATCH

title:	cisco-sa-20160727-esa	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160727-esa	Trust: 0.8
title:	Cisco AsyncOS on Email Security Appliance Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91633	Trust: 0.6

sources: JVNDB: JVNDB-2016-004106 // CNNVD: CNNVD-201607-1032

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1461	Trust: 2.7
db:	BID	id:	92155	Trust: 1.9
db:	SECTRACK	id:	1036470	Trust: 1.6
db:	JVNDB	id:	JVNDB-2016-004106	Trust: 0.8
db:	CNNVD	id:	CNNVD-201607-1032	Trust: 0.6

sources: BID: 92155 // JVNDB: JVNDB-2016-004106 // CNNVD: CNNVD-201607-1032 // NVD: CVE-2016-1461

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160727-esa	Trust: 2.5
url:	http://www.securitytracker.com/id/1036470	Trust: 1.6
url:	http://www.securityfocus.com/bid/92155	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1461	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1461	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: BID: 92155 // JVNDB: JVNDB-2016-004106 // CNNVD: CNNVD-201607-1032 // NVD: CVE-2016-1461

CREDITS

Cisco

Trust: 0.9

sources: BID: 92155 // CNNVD: CNNVD-201607-1032

SOURCES

db:	BID	id:	92155
db:	JVNDB	id:	JVNDB-2016-004106
db:	CNNVD	id:	CNNVD-201607-1032
db:	NVD	id:	CVE-2016-1461

LAST UPDATE DATE

2024-11-23T22:13:14.426000+00:00

SOURCES UPDATE DATE

db:	BID	id:	92155	date:	2016-07-27T00:00:00
db:	JVNDB	id:	JVNDB-2016-004106	date:	2016-08-02T00:00:00
db:	CNNVD	id:	CNNVD-201607-1032	date:	2022-02-07T00:00:00
db:	NVD	id:	CVE-2016-1461	date:	2024-11-21T02:46:29.223

SOURCES RELEASE DATE

db:	BID	id:	92155	date:	2016-07-27T00:00:00
db:	JVNDB	id:	JVNDB-2016-004106	date:	2016-08-02T00:00:00
db:	CNNVD	id:	CNNVD-201607-1032	date:	2016-07-29T00:00:00
db:	NVD	id:	CVE-2016-1461	date:	2016-08-01T02:59:00.167