Cisco patches critical flaw in Secure Email Gateway appliances

Patch devices immediately

Businesses using Cisco Secure Email Gateways (SEG) are urged to update their systems immediately following the disclosure of a critical vulnerability that could grant attackers complete control over affected devices.

Tracked as CVE-2024-20401, the vulnerability resides in the way SEG appliances handle email attachments when specific security features are enabled.

While Cisco has patched the flaw, it is classified as remotely exploitable by unauthenticated attackers, meaning hackers don't need any special access permissions to launch an attack.

This raises concerns, as SEG appliances are designed to safeguard businesses against malicious emails and data leaks.

"This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. A successful exploit could allow the attacker to replace any file on the underlying file system," Cisco stated.

A successful exploit could grant attackers a range of harmful capabilities, including adding new user accounts with the highest level of access (root privileges), altering system configurations, injecting malicious code, or even causing a permanent denial of service (DoS) condition on the compromised device.

Cisco reports that the vulnerability affects SEG appliances running vulnerable versions of AsyncOS. According to the company, two specific conditions must be met for a successful exploit:

• Enabled Security Features: The file analysis feature, which is part of Cisco Advanced Malware Protection, or the content filter feature must be enabled and assigned to an incoming mail policy.
• Outdated Scanner Tools: The Content Scanner Tools version on the device must be older than version 23.3.0.4823.

Cisco has released a patch that addresses the vulnerability and is included by default in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.

Although the vulnerability hasn't been exploited in the wild yet, Cisco underscores the importance of immediate action.

For SEG appliances already compromised by the attack, simply patching the software may not be enough. Such devices would require manual intervention by Cisco support.

Cisco advises all SEG users to verify their systems and update both Cisco AsyncOS and Content Scanner Tools to the latest versions as soon as possible.

Critical vulnerability in Cisco Smart Software Manager

This week, Cisco also rushed out a patch to address another critical vulnerability (CVE-2024-20419) in its Cisco Smart Software Manager (SSM) On-Prem software.

This flaw could allow attackers to seize complete control of affected systems by hijacking any user account, including those with administrative privileges. The vulnerability was been assigned a maximum 10 out of 10 severity rating on the CVSS 3.1 scoring system, reflecting the ease of exploitation and potentially devastating consequences.

While Cisco has kept the specifics of the flaw under wraps, it appears attackers could potentially change passwords remotely without needing any special access or user interaction.

"Cisco's warning about a critically rated 10/10 vulnerability, CVE-2024-20419, shouldn't be taken lightly," Sylvain Cortes, VP strategy at Hackuity, said.

"Any exploit of this flaw could allow unauthenticated attackers to change users passwords from a remote location, putting users at risk of unauthorised access to their account. This is the sweet spot attackers dream of: low complexity, high impact. In the worst possible scenario, a threat actor could have the ability to access the user's web UI with the same privileges as the user. This vulnerability underpins the importance of regular updates to all software, as these often include important security updates which aim to keep holes in the network closed.

"Cisco notes that version 9 of the affected software (SSM On-Prem and SSM Satellite) is unaffected by the vulnerability. I urge all users to update their software now –and fast."

In April, Cisco issued a security alert detailing a large-scale cyber espionage campaign dubbed "ArcaneDoor" that targeted government networks worldwide.

The campaign exploited two zero-day vulnerabilities in Cisco's widely used Adaptive Security Appliance (ASA) firewalls.

Last year, Cisco disclosed a critical zero-day vulnerability in its IOS XE software that was actively exploited in the wild.

The bug existed in the web UI feature of IOS XE, and enabled an unauthenticated remote attacker to create a privileged account on affected devices. It was accorded a maximum CVSS score of 10.0.