Cisco has fixed a critical severity vulnerability that lets attackers add new users with root privileges and permanently crash Security Email Gateway (SEG) appliances using emails with malicious attachments.
Tracked as CVE-2024-20401, this arbitrary file write security flaw in the SEG content scanning and message filtering features is caused by an absolute path traversal weakness that allows replacing any file on the underlying operating system.
“This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. A successful exploit could allow the attacker to replace any file on the underlying file system,” Cisco explained.
“The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.”
CVE-2024-20401 impacts SEG appliances if they’re running a vulnerable Cisco AsyncOS release and the following conditions are met:
- The file analysis feature (part of Cisco Advanced Malware Protection) or the content filter feature is enabled and assigned to an incoming mail policy.
- The Content Scanner Tools version is earlier than 23.3.0.4823
The fix for this vulnerability is delivered to affected devices with the Content Scanner Tools package versions 23.3.0.4823 and later. The updated version is included by default in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.
How to find vulnerable appliances
To determine whether file analysis is enabled, connect to the product web management interface, go to “Mail Policies > Incoming Mail Policies > Advanced Malware Protection > Mail Policy,” and check if “Enable File Analysis” is checked.
To find if content filters are enabled, open the product web interface and check if the “Content Filters” column under “Choose Mail Policies > Incoming Mail Policies > Content Filters” contains anything other than Disabled.
While vulnerable SEG appliances are permanently taken offline following successful CVE-2024-20401 attacks, Cisco advises customers to contact its Technical Assistance Center (TAC) to bring them back online, which will require manual intervention.
Cisco added that no workarounds are available for appliances impacted by this security flaw, and it advised all admins to update vulnerable appliances to secure them against attacks.
The company’s Product Security Incident Response Team (PSIRT) has not found evidence of public proof of concept exploits or exploitation attempts targeting the CVE-2024-20401 vulnerability.
On Wednesday, Cisco also fixed a maximum severity bug that lets attackers change any user password on unpatched Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers, including administrators.
