Warning: Critical Vulnerability In Cisco Secure Email Gateway Allows Arbitrary File Write, Patch Immediately!
CVE-2024-20401: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Cisco Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH
MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20401
Risks
A vulnerability in the Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite files on the device. This allows an attacker to change the device’s configuration, add users with root privileges, or create Denial-of-Service (DOS) conditions.
Access to an email gateway could be used to gain access to sensitive information and could allow attackers to pivot into internal networks.
Description
In the file analysis and content filters on the device, a vulnerability is found which can lead to arbitrary files being written to the filesystem. The vulnerability can be triggered by a remote attacker by sending an email with a crafted malicious attachment.
Vulnerable products need to have the file analysis component enabled (part of Cisco Advanced Malware Protection) or have the content filter feature enabled on an incoming mail policy.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
The patch for this update is part of the Content Scanner Tools versions 23.3.0.4823 and later. The updated version of the Content Scanner Tools is included in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.
More information can be found on the Cisco advisory page.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:https://ccb.belgium.be/en/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
SecurityWeek: https://www.securityweek.com/cisco-patches-critical-vulnerabilities-in-secure-email-gateway-ssm/
Helpnet Security: https://www.helpnetsecurity.com/2024/07/18/cve-2024-20401-cve-2024-20419/