Cisco fixes critical flaws in Secure Email Gateway and SSM On-Prem (CVE-2024-20401, CVE-2024-20419)
Cisco has fixed two critical vulnerabilities that may allow attackers to overwrite files on its Secure Email Gateways (CVE-2024-20401) and change the password of any user on its Smart Software Manager On-Prem license servers (CVE-2024-20419).
Neither of the flaws are exploited in the wild, but both are remotely exploitable by unauthenticated attackers, so prompt action is advised.
CVE-2024-20401 and CVE-2024-20419
Cisco Secure Email Gateways aim to protect businesses against emails laden with malware, malicious links and scams, and against exfiltration of sensitive data via email.
CVE-2024-20401 stems from improper handling of email attachments and can be triggered by a remote attackers by simply sending an email that contains a crafted attachment through an affected device.
“A successful exploit could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device,” Cisco explained in the advisory. “Manual intervention is required to recover from the DoS condition.”
The vulnerability is exploitable only if the file analysis feature or the content filter feature is enabled and assigned to an incoming mail policy, and if the system is using a Content Scanner Tools version is earlier than 23.3.0.4823.
“The updated version of Content Scanner Tools is included by default in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later,” Cisco added.
Customers have either configured the system to get Content Scanner Tools updates automatically, or will have to update manually, as no workarounds for this vulnerability exist.
Cisco Smart Software Manager On-Prem is a server for managing customer product licenses.
“[CVE-2024-20419] is due to improper implementation of the password-change process,” Cisco explained, and can be triggered via a specially crafted HTTP request. A successful exploit “could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.”
The vulnerability affects Cisco SSM On-Prem and its earlier incarnation: Cisco Smart Software Manager Satellite. Admins are advised to upgrade to either Cisco SSM On-Prem v8-202212 or v9.
The flaw doesn’t affect Cisco Smart Licensing Utility.
UPDATE (August 9, 2024, 06:10 a.m. ET):
Cisco has updated the advisory for CVE-2024-20419 to say that proof-of-concept code is available. According to the Shadowserver Foundation, vulnerable exposed instances are few.