Cisco plugs IronPort holes

Cisco has reported two vulnerabilities in its IronPort email and web protection devices.

Both flaws allow remote, unauthenticated access to any file on the device and one allows remote, unauthenticated users to execute arbitrary code with elevated privileges via the embedded HTTPS server.

IronPort Encryption Appliance 6.5 versions prior to 6.5.2, IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1 and IronPort PostX MAP versions prior to 6.2.9.1 are all affected.

As a workaround, users are advised to filter Appliance access or disable the HTTP invoker.