IronPort PXE Encryption is an e-mail encryption solution that is
designed to secure e-mail communications without the need for a Public Key
Infrastructure (PKI) or special agents on receiving systems. When an e-mail
message is targeted for encryption, the PXE encryption engine on an IronPort
e-mail gateway encrypts the original e-mail message as an HTML file and
attaches it to a notification e-mail message that is sent to the recipient. The
per-message key used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the Cisco
Registered Envelope Service, which is a Cisco-managed software service.
PXE Encryption Privacy Vulnerabilities
The IronPort PXE Encryption solution is affected by two vulnerabilities
that could allow unauthorized individuals to view the contents of secure e-mail
messages. To exploit the vulnerabilities, attackers must first intercept secure
e-mail messages on the network or via a compromised e-mail account.
IronPort Encryption Appliance Administration Interface Vulnerabilities
IronPort Encryption Appliance devices contain two vulnerabilities that
could allow unauthorized users to gain access to the IronPort Encryption
Appliance administration interface and modify other users' settings. These
vulnerabilities do not affect Cisco Registered Envelope Service users.
Cisco has released software updates that address these vulnerabilities. There are no workarounds for the vulnerabilities that are
described in this advisory.
This advisory is posted at