Cisco Secure Email Gateway Vulnerable to Arbitrary File Overwrite

A critical vulnerability in Cisco Secure Email Gateway has been discovered, potentially allowing unauthenticated remote attackers to overwrite arbitrary files on the underlying operating system. This severe security flaw, identified as CVE-2024-20401 and rated 9.8 on the CVSS scale, poses a significant risk to users of the affected software.

Cisco Secure Email Gateway is a security tool used by organizations to filter and protect against email-based threats, including spam, phishing, and malware. It is commonly employed by enterprises and service providers to ensure secure email communication. The impact of this vulnerability is substantial, as it compromises the integrity and security of the email gateway, potentially exposing sensitive information and disrupting email services.

Vulnerability details

This vulnerability was uncovered during the resolution of a Cisco Technical Assistance Center (TAC) support case. It affects the content scanning and message filtering features of Cisco Secure Email Gateway, which are integral to protecting organizations from malicious emails and attachments. The vulnerability arises from improper handling of email attachments when file analysis and content filters are enabled.

An attacker can exploit this flaw by sending an email with a crafted attachment through a vulnerable device. Upon successful exploitation, the attacker could overwrite any file on the system, potentially allowing them to:

• Add users with root privileges
• Modify device configurations
• Execute arbitrary code
• Cause a permanent denial of service (DoS) condition

Impact

The vulnerability affects Cisco Secure Email Gateway running vulnerable releases of Cisco AsyncOS, specifically when the file analysis feature (part of Cisco Advanced Malware Protection) or the content filter feature is enabled. Additionally, the Content Scanner Tools version must be earlier than 23.3.0.4823.

To determine if your system is vulnerable:

• Check if the file analysis feature is enabled via the web management interface under Mail Policies > Incoming Mail Policies > Advanced Malware Protection.
• Verify if content filters are enabled under Mail Policies > Incoming Mail Policies > Content Filters.
• Use the CLI command ‘contentscannerstatus’ to check the version of Content Scanner Tools.

Mitigation recommendations

Cisco has released software updates to address this critical vulnerability. There are no workarounds available. Users are urged to update their Content Scanner Tools to version 23.3.0.4823 or later. The updated tools are included in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.

Updating the Content Scanner Tools can be done manually using the CLI command ‘contentscannerupdate,’ or automatically through the web management interface by enabling automatic updates under Security Services > Service Updates.

For users of Cisco Secure Email Cloud Gateway, Cisco has already taken measures to protect the infrastructure, and the fixed version will be deployed automatically as part of the standard upgrade processes.