Blog Cisco Secure Email Vulnerability Lets Attackers Bypass Authentication

Days after Cisco notified its customers about a critical vulnerability in the Cisco Secure Email, the technology giant issued a patch on June 22 to mitigate the potential damage of the flaw. The flaw in the network device and security giant’s flagship Cisco Secure Email got a rating of 9.8 out of 10 in the CVEs criticality scoring system due to its damage potential to the Email Security Appliance (ESA), Secure Email, and Web Manager.

About the Cisco Secure Email vulnerability

Tracked under the CVE number CVE-2022-20798, the vulnerability has received significant attention because of the high CVE score (9.8). Researchers found the vulnerability while resolving a technical assistance center (TAC) case. It impacts ESA, Cisco Secure Email, and Web Manager, running vulnerable AsyncOS v14.x or earlier versions. These Cisco devices become vulnerable when they meet the following conditions:

• The devices employs LDAP as the authentication protocol

• The devices get the privileges for configuring and using external authentication

This vulnerability occurred due to inappropriate authentication assessments on affected devices that employ Lightweight Directory Access Protocol (LDAP) for external authentication. Cisco rolled out bug fixes on June 22, addressing the critical security vulnerability which affected its flagship products like Email Security Appliance (ESA), Secure Email, & Web Manager.

According to Cisco's statement, "An attacker could exploit this vulnerability by entering a specific input on the login page of the affected device. A successful exploit could allow the attacker to gain unauthorized access to the web-based management interface of the affected device." Cisco's Product Security Incident Response Team (PSIRT) also mentioned that they were unaware of such publicly available exploits. Attackers could have used this security bug for malicious purposes in the wild.

Besides this, Cisco notified its customer about another critical flaw affecting small business routers like RV130, RV110W, RV215W, and RV130W. This flaw could lead to unauthenticated access or may cause an affected device to restart abruptly. The bug can also allow attackers to remotely execute arbitrary code or ultimately lead to a denial of service (DoS).

What type of devices does the Cisco Secure Email vulnerability impact?

This bug infects devices and appliances that can be configured for using external authentication protocols or LDAP for authentication. According to Cisco's statement, the use of external authentication protocol remains disabled by default on their devices. It means only those devices that come with non-default configurations might get impacted. Cisco also highlighted that the vulnerability does not affect any of the "Cisco Secure Web Appliance" products (earlier called the Cisco Web Security Appliance - WSA).

How to protect your system

Here is a list of techniques enterprises can use to prevent threats:

1. Check whether the external auth remains enabled. This can be verified by following these steps:

• Log into your appliance's web management interface/dashboard. 

• Navigate to "System Administration" > "Users". 

• Next, you will see a green check box next to "Enable External Authentication."

• You can disable it from there.

2. Update the patch Cisco rolled out to fix CVE-2022-20798.

3. IT admins and professionals who cannot manage to install the security updates for CVE-2022-20798 can find a workaround by disabling unidentified binds linked to the external authentication server.

Final thoughts

Cisco is known as the networking leader. They pioneered network devices and network security systems. Though the patch for the Cisco Secure Email vulnerability (CVE-2022-20798) is out, enterprises should consider conducting regular penetration testing to ensure all vulnerabilities in the system or network are identified proactively.

Interested in learning about the types of penetration testing available to you? Learn more here: https://www.packetlabs.net/services/