www.belgium.be Logo of the federal government

Warning: Critical Vulnerability In Cisco Secure Email Gateway Allows Arbitrary File Write, Patch Immediately!

Reference: 
Advisory #2024-111
Version: 
1.0
Affected software: 
Cisco Secure Email Gateway
Type: 
Arbitrary File Write
CVE/CVSS: 

CVE-2024-20401: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Cisco Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH
MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20401

Risks

A vulnerability in the Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite files on the device. This allows an attacker to change the device’s configuration, add users with root privileges, or create Denial-of-Service (DOS) conditions.

Access to an email gateway could be used to gain access to sensitive information and could allow attackers to pivot into internal networks.

Description

In the file analysis and content filters on the device, a vulnerability is found which can lead to arbitrary files being written to the filesystem. The vulnerability can be triggered by a remote attacker by sending an email with a crafted malicious attachment.

Vulnerable products need to have the file analysis component enabled (part of Cisco Advanced Malware Protection) or have the content filter feature enabled on an incoming mail policy.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

The patch for this update is part of the Content Scanner Tools versions 23.3.0.4823 and later. The updated version of the Content Scanner Tools is included in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.

More information can be found on the Cisco advisory page.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via:https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

SecurityWeek: https://www.securityweek.com/cisco-patches-critical-vulnerabilities-in-secure-email-gateway-ssm/
Helpnet Security: https://www.helpnetsecurity.com/2024/07/18/cve-2024-20401-cve-2024-20419/