Cisco reports vulnerabilities in products such as Mail and Web Manager


Cisco has issued alerts for a vulnerability found in its messaging security and web management products that could allow an authenticated remote actor to retrieve sensitive information from an affected device.

An advisory released by Cisco this week pointed out that the vulnerability, detected in the web management interface of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (CSMA) and Cisco Email Security Appliance (ESA), allows an actor authenticated to extract sensitive information through a Lightweight Directory Access Protocol (LDAP) server connected to the device in question.

This vulnerability is due to a design error in the polling process, according to Cisco. LDAP is an external authentication protocol for accessing and maintaining distributed directory information services over the public Internet or corporate intranet.

No public exploitation discovered (yet)

The vulnerability was found during internal security testing and up to the time of the publication of the advisory As of Tuesday, the Cisco team was unaware of any public announcement or exploitation of the vulnerability, the company said.

According to the advisory, the vulnerability received a CVSS score of 7.7 and has no workaround. The vulnerability, with bug IDs CSCvz20942 and CSCvz40090 for virtual and hardware appliances, respectively, can be exploited provided they:

  • Are running a vulnerable version of Cisco AsyncOS software
  • Are configured to use external authentication
  • use LDAP as the authentication protocol

External Authentication is disabled by default and can be verified by navigating to System Administration>Users>External Authentication.

Cisco has confirmed that the vulnerability does not affect Cisco Secure Web Appliance, formerly known as Cisco Web Security Appliance (WSA), a hardware plug-in for the company’s Secure Web Gateway (SWG).

Cisco has released free software updates that address the vulnerability and can be obtained by customers with service contracts for regular software updates. Customers without a valid service contract or who have acquired products through third-party outlets are advised to obtain the fixed software by contacting Cisco TAC (Technical Assistance Center).

The vulnerabilities have CVSS scores ranging from 5.4 to 9.1

Cisco also disclosed three additional vulnerabilities with CVSS scores ranging from 5.4 to 9.1.

The vulnerabilities include one (CVE-2022-20829) in Cisco Adaptive Security Device Manager (ASDM) and Adaptive Secuirty Appliance (ASA) with a CVSS score of 9.1. This was rated moderately serious, despite a high CVSS score, due to the attacker’s requirement for administrative privileges and its relatively limited target. The vulnerability has received a partial fix that requires updating the ASA software and ASDM.

The second vulnerability (CVE-2022-20828) is in the Cisco Firepower Software Firepower Module Command Line Interface (CLI) scanner for the Adaptive Security Appliance. This bug, rated at 6.5 CVSS, may allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA Firepower module as the root user, according to the advisory of security. Migrating to a July release containing the patch is the only solution to the vulnerability.

Finally, the CVE-2022-20802 vulnerability, found in the Cisco Enterprise Chat and Email Web Interface, may allow cross-site scripting against a user of the interface for this software, and received a severity score of 5.4 . Cisco said it would address the vulnerability with future updates, Burt did not provide a timeline for doing so.

Copyright © 2022 IDG Communications, Inc.


Comments are closed.