Cisco warns of security holes in its security appliances

Bugs potentially useful for rogue insiders, admin account hijackers

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

To exploit the vulnerability, an attacker needs valid operator-level or higher access to the appliance. Once authenticated, the miscreant can steal sensitive information, such as user credentials, from a Lightweight Directory Access Protocol (LDAP) external authentication server connected to the device due to a blunder in the query process.

We can imagine a rogue insider or someone who has compromised an operator account exploiting this flaw to further penetrate a network.

"This vulnerability is due to a lack of proper input sanitization while querying the external authentication server," reads the security advisory, which was issued last week and updated yesterday with more details on available software fixes.

Cisco deemed the three other vulnerabilities medium severity, though their CVSS scores range from 9.1 to 5.4. We're told miscreants haven't (yet) exploited any of these bugs either.

The 9.1-severity vuln, tracked today as CVE-2022-20829, is in the packaging of Cisco Adaptive Security Device Manager (ASDM) software images and the validation of those images by Cisco Adaptive Security Appliance (ASA) software.

Cisco only rates the bug as medium severity, despite the high CVSS score, because an attacker needs administrative privileges to exploit this bug. By uploading a specially crafted image containing malicious code to a device running Cisco's ASA software, and waiting for a targeted user to access that device via ASDM, the rogue administrator can execute the malicious code on the user's machine.

It's a fairly complicated vulnerability to exploiut with a limited set of targets, which is good considering it's only partially patched. Updating both the ASA software and the ASDM is required to fully fix this vulnerability. The vendor issued patches for all affected ASDM versions. However, Cisco only has software updates for ASA software releases 9.17 and earlier. Fixes for 9.18 won't be available until August, and there are no workarounds.

"This vulnerability is due to insufficient validation of the authenticity of an ASDM image during its installation on a device that is running Cisco ASA Software," the vendor noted.

Buggy firewalls

Also today, Cisco warned customers about a 6.5-severity flaw in the CLI parser of the Cisco FirePOWER Software for Adaptive Security Appliance FirePOWER module tracked as CVE-2022-20828

"This vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user," according to the security advisory.

An attacker must have administrative access to the ASA and the ASA FirePOWER module to exploit the bug. But assuming that's the case, a miscreant could exploit it using a crafted CLI command or HTTPS request. Still, "the attack vector through an HTTPS request is open only if HTTPS management access is enabled on the Cisco ASA that is hosting the ASA FirePOWER module," the vendor noted.

Cisco FirePOWER Software for ASA FirePOWER module releases 6.2.2 and earlier, plus releases 6.3.0 and 6.5.0, have reached end of life, and won't be updated, so the vendor said customers should migrate to a release that includes a fix for this vulnerability. 

However, one of the software updates won't be available until July and a second until December.

Enterprise chat and email flaw

Finally, CVE-2022-20802, a flaw in the web interface of Cisco Enterprise Chat and Email that could lead to a cross-site scripting attack against a user of the interface, received the lowest severity score of 5.4.

An attacker would need valid agent credentials to exploit this vulnerability, and could do so by sending a crafted HTTP request to the affected system. "A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information," Cisco warned.

Cisco said it will fix versions 12.6(1) ES2 and earlier in a future software release, but didn't provide a timeline for when that will happen. ®

Send us news

Critical flaws found in four Cisco SMB router ranges – for the second time this year

At least Switchzilla thinks they're salvageable, unlike the boxes it ordered binned back in June

VMware patches critical 'make me admin' auth bypass bug, plus nine other flaws

Meanwhile, a security update for rsync

FAANGs failing on keeping user data safe from bug hunters

Time to call in the legal team

Google's bug bounty boss: Finding and patching vulns? 'Totally useless'

Disclosing exploits, however, will earn you $100k

Cisco admits corporate network compromised by gang with links to Lapsus$

Voice-phished their way in, but Switchzilla claims no damage done

Microsoft trumps Google for 2021-22 bug bounty payouts

Another $13.7m handed out to researchers, but then again it does have an awful lot of attack surfaces

Slack leaked hashed passwords from its servers for years

Users who created shared invitation links for their workspace had login details slip out among encrypted traffic

DuckDuckGo says Hell, Hell, No to those Microsoft trackers after web revolt

Plus: That Twitter privacy leak, scammers send Ubers for victims, critical flaw in Cisco gear, and more

Boffins rate npm and PyPI package security and it's not good

Guess what? Open source security still has gaps

Patch Tuesday: Yet another Microsoft RCE bug under active exploit

Oh, and that critical VMware auth bypass vuln? Miscreants found it, too

APIC fail: Intel 'Sunny Cove' chips with SGX spill secrets

AMD Zen chips, meanwhile, are vulnerable to side-channel data scrying

Palo Alto bug used for DDoS attacks and there's no fix yet

There goes the weekend...