Critical Cisco Bug Allows Root Access and Permanent DoS via Malicious Emails
Cisco Fixes Critical SEG Vulnerability (CVE-2024-20401)
Cisco has addressed a critical severity vulnerability (CVE-2024-20401) affecting its Security Email Gateway (SEG) appliances. This vulnerability allows attackers to add new users with root privileges or permanently crash the appliances by exploiting email attachments with malicious content.
Details of CVE-2024-20401
- Type: Arbitrary File Write Vulnerability
- Severity: Critical
- Impact:
- Adding users with root privileges
- Modifying device configuration
- Executing arbitrary code
- Causing permanent denial of service (DoS)
Cause
The vulnerability stems from an absolute path traversal weakness in the content scanning and message filtering features of SEG appliances. This flaw allows attackers to replace any file on the underlying operating system by sending emails with malicious attachments.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Conditions for Exploitation
SEG appliances are vulnerable if the following conditions are met:
- Running a vulnerable Cisco AsyncOS release.
- The file analysis feature (part of Cisco Advanced Malware Protection) or the content filter feature is enabled and assigned to an incoming mail policy.
- The Content Scanner Tools version is earlier than 23.3.0.4823.
Fixes and Updates
- Content Scanner Tools Package Version: 23.3.0.4823 and later
- Cisco AsyncOS for Cisco Secure Email Software: 15.5.1-055 and later
The fix includes an updated version of the Content Scanner Tools package, which is part of the mentioned AsyncOS release.
Identifying Vulnerable Appliances
To determine if your SEG appliance is vulnerable, follow these steps:
- File Analysis Check:
- Navigate to
Mail Policies > Incoming Mail Policies > Advanced Malware Protection > Mail Policy. - Check if “Enable File Analysis” is selected.
- Navigate to
- Content Filters Check:
- Go to
Choose Mail Policies > Incoming Mail Policies > Content Filters. - Verify if the “Content Filters” column contains any entries other than “Disabled”.
- Go to
Trending: Offensive Security Tool: DDoSlayer
Mitigation Steps
- Update: Admins are advised to update SEG appliances to the latest AsyncOS release that includes the fixed Content Scanner Tools package.
- No Workarounds: There are no workarounds for this vulnerability. Updating the software is the only mitigation.
Post-Exploitation Recovery
If an appliance is taken offline due to a successful CVE-2024-20401 attack, Cisco recommends contacting their Technical Assistance Center (TAC) for manual intervention to bring the device back online.
Cisco’s Assurance
Cisco’s Product Security Incident Response Team (PSIRT) has not found any public proof of concept exploits or evidence of exploitation attempts targeting CVE-2024-20401.
Other Notable Cisco Fixes
On the same day, Cisco also addressed a maximum severity bug in Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers. This bug allowed attackers to change any user password, including those of administrators.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
