Technology conglomerate Cisco suffered a significant vulnerability. The latest Cisco vulnerability, discovered on June 6, 2022, allowed cybercriminals to crash the Cisco Secure Email appliances remotely via the usage of malicious email messages.
The Cisco high-profile vulnerability, the CVE-2022-20798, could allow cybercriminals to cut the affected device from management interfaces, rendering them unreachable and causing a DoS (Denial of Service). Let us look at the Cisco vulnerability that has caused a serious commotion.
What is CVE-2022-20798?
The Cisco vulnerability was discovered in the DANE (DNS-based Authentication of Named Entities), an email verification component. The component is part of Cisco’s Async OS, used by the Cisco ESA (Email Security Appliance), allowing remote attackers to bypass authentication for a DoS attack.
With the help of crafted emails to exploit the DNS error handling, the vulnerability allowed threat actors to process chained email messages for continued intervals to put the device in an unavailable state of persistent DoS. You can read in detail about the CVE-2022-20798 vulnerability here.
How Does this Cisco Vulnerability Affect You?
The Cisco CVE-2022-20798 vulnerability was identified in a particular case of TAC (Technical Assistance Center). The vulnerability affects the ESA, Secure Mail, and Web Manager running the Cisco Async OS on version 11 and its predecessors.
However, the vulnerability only affects versions 12 and its successors up to 14.x if:
- you have configured your device to employ external authentication
- your device uses the LDAP (Lightweight Directory Access Protocol) authentication protocol
How to Protect Against this Cisco Vulnerability?
The above two conditions are necessary for this vulnerability to be exploited in newer versions. However, Cisco’s vulnerability will only impact customized configurations as the external authentication feature is disabled by default.
If you wish to check if the feature is turned on, you can follow these steps:
- Log in to your web management interface.
- Navigate to Users under System Administration and see if “Enable External Authentication” is checked or not.
Is there a Patch for CVE-2022-20798?
Yes, Cisco released a security patch. Cisco released the new records on June 15, 2022. Although Cisco mentioned a quick workaround to address the vulnerability by disabling anonymous binds that could take care of the issue, Cisco has also made free software updates that address said vulnerability.
There is not much on the user’s end who has to install the software update.
Users who employ Async OS’s version 11 and previous ones have reached the end of software maintenance and will need to migrate to a supported release that includes an updated fix for the vulnerability.
The year has not been kind to Cisco as it had to release patches in February 2022 for several max security flaws and critical buds in SMB routers. Cisco’s patches addressed multiple SMB RV Series router platform vulnerabilities, which allowed remote hackers to gain absolute control over user devices. These patches fixed 15 vulnerabilities, out of which five were rated critical as they granted admin privileges to threat actors.
Previous Critical Vulnerabilities in CISCO Secure Email
There have been many critical vulnerabilities in Cisco’s Email Security Appliance and Secure mail as well. Some of these are:
- CVE-2021-1566: The CVE-2021-1566 was discovered in June 2021 and was a severe one in Cisco’s AMP (Advanced Malware Protection). The AMP was employed by endpoints of Cisco’s Async OS, used by Cisco’s ESA and WSA (Web Security Appliance). This vulnerability allowed unauthenticated cybercriminals to intercept device and AMP server traffic during TLS (Transport Layer Security) connections. By intercepting the TLS traffic, threat actors could exploit this vulnerability to send maliciously crafted TLS packets for spoofing and extracting critical information.
- CVE-2021-1129: Discovered in January of 2021, the CVE-2021-1129 was an authentication vulnerability for general purpose APIs (Application Programming Interfaces). These APIs were for the Cisco ESA, WSA, and SMA (Security Management Appliance). A cybercriminal could exploit the CVE-2021-1129 by sending crafted information required to gain system configuration information. Such critical information leads to unauthorized information disclosure and could be used for further attacks.
- CVE-2020-3447: The CVE-2020-3447 was a CLI (Command Line Interface) vulnerability in the Cisco Async OS. The vulnerability, discovered in August 2020, affected the Cisco ESA and SMA, allowing threat actors to access critical device information. Due to faulty log subscriptions, an attacker could access particular logs on devices. Since logs generally include user credentials, attackers could gain valid user credentials and wreak all kinds of havoc.
- CVE-2020-3370: Another major vulnerability found in Cisco systems was discovered in July 2020 when the URL filtering mechanism of Cisco’s SMA was faulty. The vulnerability allowed threat actors to bypass URL filtering to send malicious HTTP requests and redirect victims to fake or malicious websites.
The above vulnerabilities have long since been patched.
Today, any organization, business, or service provider must emphasize cybersecurity. Even with the best security, there are still chances of inevitable vulnerabilities or bugs arising, evident by Cisco’s recent email appliance vulnerability.
But the rapid response and release of patches have made it clear that Cisco prioritizes its security and values its customers.
Final Words
Cisco’s CVE-2022-20798 vulnerability has made it to headlines across cybersecurity forums. However, there is no need to panic as the vulnerability was discovered and corrected promptly before any major repercussions or incidents occurred. You can rest assured that the software patches by Cisco have handled the vulnerability.