On July 17, 2024, Cisco publicly disclosed critical vulnerabilities in Cisco Secure Email Gateway (SEG) and Cisco Smart Software Manager On-Prem (SSM), identified as CVE-2024-20401 and CVE-2024-20419 respectively. Both of these vulnerabilities may allow for unauthenticated administrative actions to be taken by threat actors when exploited.
Cisco Secure Email Gateway – Arbitrary File Write (CVE-2024-20401)
Cisco Secure Email Gateway is an on-premise email security solution that’s designed to block spam and malicious content in emails. During the investigation of a TAC support case, Cisco discovered a security flaw leading to the disclosure of an arbitrary file write vulnerability. With a CVSS score listed as 9.8, this vulnerability would potentially allow threat actors to create user accounts with root privileges. With root access obtained, threat actors would potentially be able to modify of device configuration, execution arbitrary code, or conduct a denial of service (DoS) attack.
This vulnerability is the result of improper handling of email attachments when file analysis and content filters are enabled in Cisco SEG. Consequently, the vulnerability can only be exploited when the content filter feature is enabled and assigned to an incoming mail policy. As an additional constraint, only Cisco SEG instances with Content Scanner Tools version earlier than 23.3.0.4823 are affected.
Cisco SSM On-Prem – Password Change (CVE-2024-20419)
Cisco SSM On-Prem is an on-premises license management solution used in place of the cloud-host Smart Software Manager service provided by Cisco. This vulnerability had been responsibly reported to Cisco by a security researcher named Mohammed Adel. A CVSS score of 10.0 was assigned to the vulnerability, highlighting the risk of unauthenticated user password changes, including those of administrative accounts.
The flaw responsible for this vulnerability stems from improper implementation of the password-change process, which could be exploited by sending crafted HTTP requests to an affected device. While this vulnerability does not directly allow for remote code execution, the ability to gain administrative access could lead to significant unauthorized actions, including system configuration changes and data access. Under a supported configuration, this application would typically reside behind the firewall and would not be accessible on the public internet.
Risk of Exploitation
So far, there have been no reports of exploitation of CVE-2024-20401 or CVE-2024-20419 in the wild. However, threat actors may be able to develop their own exploits by reverse engineering the released patches from Cisco. Cisco has not listed any short-term workarounds, emphasizing the importance of applying the provided patches to address the risk of exploitation from these vulnerabilities.
Vulnerabilities
These vulnerabilities were publicly disclosed by Cisco on July 17, 2024.
| CVE-2024-20401 | CVSS 9.8 | Not known to be actively exploited | No public POC available | |
| Arbitrary File Write Vulnerability – By writing arbitrary files to the filesystem of a Cisco Secure Email Gateway device through a specially-crafted malicious attachment, a threat actor may be able to add users with root privileges. Once root access is obtained, threat actors may modify device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on affected devices. | ||||
| CVE-2024-20419 | CVSS 10.0 | Not known to be actively exploited | No public POC available | |
| Password Change Vulnerability – Improper implementation of the password-change process allows unauthenticated, threat actors to change the password of any user, including an administrator. If administrative access is gained, a threat actor may be able to make system configuration changes and access sensitive data. | ||||
Recommendations for CVE-2024-20401 and CVE-2024-20419
Upgrade To a Fixed Version of Affected Software
Arctic Wolf strongly recommends upgrading to the fixed version of Cisco SEG and Cisco SSM On-Prem as detailed in the provided advisories.
| Affected Product | Affected Versions | Fixed Version |
| Cisco Secure Email – AsyncOS Content Scanner Tools release (CVE-2024-20401) | Content Scanner Tools versions earlier than 23.3.0.4823 | Content Scanner Tools version 23.3.0.4823
Note: The updated version is included by default in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later. |
| Cisco Smart Software Manager On-Prem (CVE-2024-20419
Cisco Smart Software Manager Satellite (CVE-2024-20419) |
Versions 8-202206 and earlier | Version 8-202212 |
Note: Cisco SSM On-Prem Version 9 and above are not affected (by CVE-2024-20419).
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
References
