[Cyware] Critical Cisco bug lets hackers add root users on SEG devices

Summary: Cisco has addressed a critical vulnerability (CVE-2024-20401) in its Security Email Gateway (SEG) appliances that allows attackers to gain root privileges and crash the devices using malicious email attachments. This flaw arises from an absolute path traversal issue in the content scanning and message filtering features of SEG.

Threat Actor: Unknown | unknown
Victim: Cisco Security Email Gateway (SEG) appliances | Cisco Security Email Gateway

Key Point :

  • The vulnerability allows attackers to replace any file on the underlying operating system, leading to actions such as adding users with root privileges and executing arbitrary code.
  • Affected devices require updates to the Content Scanner Tools package version 23.3.0.4823 or later to mitigate the risk.
  • Cisco advises customers to check their SEG configurations to determine if they are vulnerable and to contact Technical Assistance Center (TAC) for recovery if compromised.
  • No public proof of concept exploits have been found targeting this vulnerability as of now.

Cisco

Cisco has fixed a critical severity vulnerability that lets attackers add new users with root privileges and permanently crash Security Email Gateway (SEG) appliances using emails with malicious attachments.

Tracked as CVE-2024-20401, this arbitrary file write security flaw in the SEG content scanning and message filtering features is caused by an absolute path traversal weakness that allows replacing any file on the underlying operating system.

“This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. A successful exploit could allow the attacker to replace any file on the underlying file system,” Cisco explained.

“The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.”

CVE-2024-20401 impacts SEG appliances if they’re running a vulnerable Cisco AsyncOS release and the following conditions are met:

  • The file analysis feature (part of Cisco Advanced Malware Protection) or the content filter feature is enabled and assigned to an incoming mail policy.
  • The Content Scanner Tools version is earlier than 23.3.0.4823

The fix for this vulnerability is delivered to affected devices with the Content Scanner Tools package versions 23.3.0.4823 and later. The updated version is included by default in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.

How to find vulnerable appliances

To determine whether file analysis is enabled, connect to the product web management interface, go to “Mail Policies > Incoming Mail Policies > Advanced Malware Protection > Mail Policy,” and check if “Enable File Analysis” is checked.

To find if content filters are enabled, open the product web interface and check if the “Content Filters” column under “Choose Mail Policies > Incoming Mail Policies > Content Filters” contains anything other than Disabled.

While vulnerable SEG appliances are permanently taken offline following successful CVE-2024-20401 attacks, Cisco advises customers to contact its Technical Assistance Center (TAC) to bring them back online, which will require manual intervention.

Cisco added that no workarounds are available for appliances impacted by this security flaw, and it advised all admins to update vulnerable appliances to secure them against attacks.

The company’s Product Security Incident Response Team (PSIRT) has not found evidence of public proof of concept exploits or exploitation attempts targeting the CVE-2024-20401 vulnerability.

On Wednesday, Cisco also fixed a maximum severity bug that lets attackers change any user password on unpatched Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers, including administrators.


Source: https://www.bleepingcomputer.com/news/security/critical-cisco-bug-lets-hackers-add-root-users-on-seg-devices


“An interesting youtube video that may be related to the article above”