Critical Vulnerability in Cisco’s Security Email Gateway Patched

July 19, 2024

Cisco has addressed a critical security flaw, identified as CVE-2024-20401, in its Security Email Gateway (SEG). This flaw could have allowed unauthenticated, remote attackers to add new users with root privileges and permanently disable SEG appliances. The vulnerability was found within the content scanning and message filtering features of Cisco's Secure Email Gateway.

The flaw originates from the improper handling of email attachments when file analysis and content filters are activated. This could be exploited by attackers by sending a specially crafted email attachment, which would allow them to replace any file on the system. Subsequently, this could enable them to add root users, alter configurations, execute arbitrary code, or instigate a permanent denial of service (DoS) condition on the affected device.

In an advisory issued by Cisco, it was stated that, “A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system... An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device. A successful exploit could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.”

The flaw affects Cisco Secure Email Gateway running a vulnerable release of Cisco AsyncOS if the file analysis feature or the content filter feature is enabled and assigned to an incoming mail policy, and if the Content Scanner Tools version is earlier than 23.3.0.4823. The vulnerability has been addressed in Content Scanner Tools version 23.3.0.4823 and later, which is also part of Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later. Users can determine whether file analysis is enabled by accessing the product web management interface and checking if the “Enable File Analysis” option is checked. Similarly, the status of content filters can be confirmed by checking if the “Content Filters” column doesn’t contain the value “disabled.”

As of now, Cisco’s Product Security Incident Response Team (PSIRT) is not aware of any exploitation attempts targeting the CVE-2024-20401 vulnerability. In addition to this, Cisco has also addressed another critical vulnerability, tracked as CVE-2024-20419, in Cisco Smart Software Manager On-Prem license servers that could allow attackers to change any user’s password due to an improper implementation in the password-change process. The vulnerability could be triggered by threat actors sending specially crafted HTTP requests to vulnerable devices.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.