In a security advisory released on July 17, Cisco disclosed a critical vulnerability in their Secure Email Gateway that could have severe implications for organizations relying on this security solution. The flaw, identified as CVE-2024-20401, has a high CVSS base score of 9.8. This vulnerability allows an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system of the affected device.
The Cisco Secure Email Gateway is an email security solution that protects organizations from threats like spam, phishing, malware, and data loss. It acts as a barrier between an organization’s email system and external threats, using threat detection, data loss prevention, and email encryption to keep communications secure. The gateway integrates with existing email systems and offers flexible deployment options to ensure the security of email communications.
According to Cisco, the vulnerability arises from improper handling of email attachments when file analysis and content filters are enabled. If an attacker sends a specially crafted email attachment through the affected device, they can exploit this flaw to replace any file on the system. The potential consequences are significant. An attacker could add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition.
Cisco states, “Manual intervention is required to recover from the DoS condition. Customers are advised to contact the Cisco Technical Assistance Center (TAC) to help recover a device in this condition.”
One of the more concerning aspects of this advisory is the lack of workarounds. Organizations using the Cisco Secure Email Gateway cannot apply temporary fixes and must rely on software updates provided by Cisco.
This vulnerability impacts the Cisco Secure Email Gateway when it operates on a susceptible version of Cisco AsyncOS, given two specific conditions. First, either the file analysis feature, which is part of Cisco Advanced Malware Protection (AMP), or the content filter feature must be enabled and assigned to an incoming mail policy. Second, the Content Scanner Tools version must be earlier than 23.3.0.4823.
To determine if your system is vulnerable, Cisco provides a series of checks:
- File Analysis: Via the web management interface, navigate to Mail Policies > Incoming Mail Policies > Advanced Malware Protection and check if “Enable File Analysis” is selected.
- Content Filters: Check Mail Policies > Incoming Mail Policies > Content Filters to see if anything other than “Disabled” is displayed.
- Content Scanner Tools Version: Use the
contentscannerstatuscommand in the CLI to verify the version. Versions prior to 23.3.0.4823 are vulnerable.
Cisco has released updates that address this vulnerability. The fixed version of the Content Scanner Tools package, 23.3.0.4823 and later, is included in Cisco AsyncOS for Secure Email Software releases 15.5.1-055 and later. Updating the Content Scanner Tools does not require a software upgrade or product restart, simplifying the update process for administrators.
For those who have automated updates enabled, no action may be required. Manual updates can be performed using the CLI command contentscannerupdate.
This vulnerability is part of a series of security advisories that Cisco released on July 17. Another notable vulnerability that we covered earlier is a 10.0 CVSS rating password change vulnerability in SSM On-Prem.
