Cisco fixed a critical flaw in Security Email Gateway that could allow attackers to add root users

Cisco has addressed a critical vulnerability that could allow attackers to add new root users to Security Email Gateway (SEG) appliances.

Cisco fixed a critical vulnerability, tracked as CVE-2024-20401 (CVSS score 9.8), that could allow unauthenticated, remote attackers to add new users with root privileges and permanently crash Security Email Gateway (SEG) appliances.

The flaw resides in the content scanning and message filtering features of Cisco Secure Email Gateway.

The vulnerability arises from improper handling of email attachments when file analysis and content filters are enabled. Attackers could exploit this by sending a specially crafted email attachment, allowing them to replace any file on the file system. This could enable them to add root users, modify configurations, execute arbitrary code, or trigger a permanent denial of service (DoS) condition on the affected device.

“A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system.” reads the advisory published by Cisco.

“This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device. A successful exploit could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.”

The flaw impacts Cisco Secure Email Gateway running a vulnerable release of Cisco AsyncOS if either the file analysis feature (part of Cisco Advanced Malware Protection) or the content filter feature is enabled and assigned to an incoming mail policy, and if the Content Scanner Tools version is earlier than 23.3.0.4823.

Content Scanner Tools version 23.3.0.4823 and later address this vulnerability. This updated version is also part of Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.

Users could determine whether file analysis is enabled by connecting to the product web management interface (“Mail Policies > Incoming Mail Policies > Advanced Malware Protection > Mail Policy”) and checking if “Enable File Analysis” option is checked.

To determine whether content filters are enabled, users can open the product web interface and check if the “Content Filters” column (“Choose Mail Policies > Incoming Mail Policies > Content Filters”) doesn’t contain the value “disabled.”

The company’s Product Security Incident Response Team (PSIRT) is not aware of exploitation attempts targeting the CVE-2024-20401 vulnerability in the wild.

This week, the IT giant has addressed a critical vulnerability, tracked as CVE-2024-20419 (CVSS score of 10.0), in Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers that allow attackers to change any user’s password.

The issue is due to an improper implementation in the password-change process. Threat actors can trigger the vulnerability by sending specially crafted HTTP requests to vulnerable devices.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Cisco)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter