Cisco addressed a critical severity vulnerability in the Cisco Secure Email Gateway. Tracked as CVE-2024-20401, the vulnerability may allow an attacker to replace any file on the underlying file system.
Cisco Secure Email Gateway (SEG) is a device or software that monitors and protects email from unwanted content, such as spam, phishing attacks, malware, or fraudulent content.
Cisco offers multiple SEG products, including:
- Cisco Email Security Appliance (ESA)
- Cisco Secure Email Cloud Gateway
- Cisco Secure Email Essentials
Vulnerability Details
The vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway originates from improper handling of email attachments when file analysis and content filters are enabled.
An attacker may exploit this vulnerability by sending an email containing a crafted attachment through an affected device. On successful exploitation, an unauthenticated, remote attacker may replace any file on the underlying file system.
An attacker can also perform the actions such as:
- Add users with root privileges
- Modify the device configuration
- Execute arbitrary code or cause a permanent denial of service (DoS) condition
Affected Versions
This vulnerability affects Cisco Secure Email Gateway if it is running a vulnerable release of Cisco AsyncOS and both of the following conditions are met:
- Either the file analysis feature, which is part of Cisco Advanced Malware Protection (AMP), or the content filter feature is enabled and assigned to an incoming mail policy
- The Content Scanner Tools version is older than 23.3.0.4823
Mitigation
Customers must upgrade to the Content Scanner Tools versions 23.3.0.4823 and later to patch the vulnerability.
For more information, please refer to Cisco Security Advisory (cisco-sa-esa-afw-bGG2UsjH).
Qualys Detection
Qualys customers can scan their devices with QID 317469 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.