Cisco Email Security Appliance 9.6.0-042 Denial Of Service Overflow Vulnerability
11 Aug. 2016
libclamav in ClamAV (aka Clam AntiVirus), as used in Advanced Malware Protection (AMP) on Cisco Email Security Appliance (ESA) devices before 9.7.0-125 and Web Security Appliance (WSA) devices before 9.0.1-135 and 9.1.x before 9.1.1-041, allows remote attackers to cause a denial of service (AMP process restart) via a crafted document, aka Bug IDs CSCuv78533 and CSCuw60503.
* Cisco Email Security Appliance 9.6.0-042
* Cisco Web Security Appliance 8.8.0-085
* Cisco Web Security Appliance 9.1.0-070
* Cisco Web Security Appliance 9.5.0-284
* Clamav Clamav
A vulnerability in the Clam AntiVirus (ClamAV) software that is used by Cisco Advance Malware Protection (AMP) for Cisco Email Security Appliances (ESAs) and Cisco Web Security Appliances (WSAs) could allow an unauthenticated, remote attacker to cause the AMP process to restart.
The vulnerability is due to improper parsing of input files by the libclamav library. An attacker could exploit this vulnerability by sending a crafted document that triggers a scan from the AMP ClamAV library on an affected system. A successful exploit could allow the attacker to cause the AMP process to restart.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.