Cisco has warned customers of an additional four vulnerabilities in its products, including a very serious flaw in its email and web security equipment.
The networking giant has released a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco’s Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. We note that some previous versions of both products have reached the end of their life, which is why the manufacturer will not release any fixes; instead, it told customers to migrate to a newer version and ditch the old one.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team has no in-the-wild exploits to date. That said, given the speed of reverse engineering, that day is likely to come.
To exploit the vulnerability, an attacker would need valid operator-level or higher access to the device. Once authenticated, the miscreants can steal sensitive information, such as user credentials, from a remote LDAP (Lightweight Directory Access Protocol) authentication server connected to the device as a result of a query process blunder.
We can imagine a rogue insider or someone who compromised an operator account exploiting this flaw to further penetrate a network.
“This vulnerability is due to a lack of proper input sanitization when querying the external authentication server,” reads the security advisory, released last week and updated yesterday with more details about available software fixes.
Cisco rated the other three vulnerabilities as moderately severe, although their CVSS scores range from 9.1 to 5.4. We’re told that miscreants haven’t exploited any of these bugs (yet).
The 9.1 vulnerability, tracked today as CVE-2022-20829, is in the packaging of Cisco Adaptive Security Device Manager (ASDM) software images and the validation of those images by Cisco Adaptive Security Appliance (ASA) software.
Cisco rates the bug as moderate, despite the high CVSS score, because an attacker would need administrative privileges to exploit this bug. By uploading a specially crafted image of malicious code to a device running Cisco’s ASA software and waiting for a targeted user to access that device via ASDM, the rogue administrator can execute the malicious code on the user’s computer.
It’s a pretty complicated vulnerability to exploit with a limited number of targets, which is good considering it’s only partially patched. Updating both the ASA software and the ASDM is required to fully address this vulnerability. The vendor has released patches for all affected ASDM versions. However, Cisco only has software updates for ASA software versions 9.17 and earlier. Fixes for 9.18 won’t be available until August and there are no workarounds.
This vulnerability is due to insufficient authentication of the authenticity of an ASDM image during installation on a device running Cisco ASA software.
buggy firewalls
Also today, Cisco warned customers of a 6.5-severity error in the CLI parser of the Cisco FirePOWER Software for Adaptive Security Appliance FirePOWER module, tracked as CVE-2022-20828.
“This vulnerability could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as a root user,” the security advisory said.
An attacker would need administrative access to the ASA and ASA FirePOWER modules to exploit the bug. But assuming that is the case, a miscreant can abuse it using a crafted CLI command or HTTPS request. Still, “the attack vector via an HTTPS request is only open if HTTPS management access is enabled on the Cisco ASA hosting the ASA FirePOWER module,” the vendor noted.
Cisco FirePOWER software for ASA FirePOWER module releases 6.2.2 and earlier, plus releases 6.3.0 and 6.5.0, have reached end-of-life and will not be updated, so the vendor said customers should migrate to a release which is a fix for this vulnerability.
However, one of the software updates won’t be available until July and a second one in December.
Business Chat and Email Error
Finally, CVE-2022-20802, a flaw in the Cisco Enterprise Chat and Email web interface that could lead to a cross-site scripting attack on a user of the interface, received the lowest severity score of 5.4.
An attacker would require valid agent credentials to exploit this vulnerability and could do so by sending a crafted HTTP request to the affected system. “A successful exploit could allow the attacker to run arbitrary code in the context of the interface or access sensitive browser-based information,” Cisco warned.
Cisco said it will fix versions 12.6(1) ES2 and earlier in a future software release, but didn’t provide a timeline for when that will happen.