Home > Security Bulletins > Cisco Secure Email Gateway Arbitrary File Write Vulnerability (Critical)

Cisco Secure Email Gateway Arbitrary File Write Vulnerability (Critical)

Cisco Secure Email Gateway Arbitrary File Write Vulnerability (Critical)

Tuesday, 23 July 2024

Introduction

Cisco has discovered a critical vulnerability (CVSS Score 9.8) in the content scanning and message filtering features of Cisco Secure Email Gateway that could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system. This is due to improper handling of email attachments when file analysis and content filters are enabled.

This vulnerability, CVE-2024-20401, can be exploited by an attacker sending an email with a crafted attachment through an affected device. The attacker could then perform the following actions: adding users with root privileges, modifying the device configuration, executing arbitrary code, or causing a permanent denial of service (DoS) condition on the affected device. In case of a DoS attack, manual intervention is required to recover from this.

For customers who use Cisco Secure Email Cloud Gateway, no action is required.

 

Affected products

Vulnerable products

Cisco Secure Email Gateway is affected if it’s running a vulnerable release of Cisco AsyncOS and both of these conditions are met:

  • Either file analysis (part of Cisco Advanced Malware Protection, AMP) or the content filter feature is enabled and assigned to an incoming mail policy
  • Content Scanner Tools version earlier than 23.3.0.4823

Information on which Cisco software releases are vulnerable can be found here.

 

Determine whether file analysis is enabled

Complete these steps to check whether file analysis has been enabled:

  1. Connect to the product web management interface
  2. Choose Mail Policies > Incoming Mail Policies > Advanced Malware Protection
  3. Choose a Mail Policy and inspect the value of Enable File Analysis

File analysis is enabled if the box is checked.

 

Determine the version of the Content Scanner Tools

Using the Command Line Interface (CLI) command contentscannerstatus the version can be determined.

 

Products confirmed not vulnerable

The following products are not affected by this CVE:

  • Secure Email and Web Manager
  • Secure Web Appliance

 

Workarounds

There are currently no workarounds, but Cisco has released software updates to address this vulnerability. The advisory can be found here.

The updated versions of the Content Scanner Tools (23.3.0.4823 and later) fix this vulnerability and are included by default in Cisco AsyncOS for Cisco Secure Email Software (15.5.1-055 and later).