A recently discovered flaw in Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager allows hackers to bypass security protections and connect to endpoints with non-default settings, the company confirmed.

An advisory released by Cisco revealed that the company stumbled upon the flaw while handling a support case through Cisco TAC. Although he claims there is no evidence that the flaw is being exploited in the wild, it is now tracked as CVE-2022-20798.

The good news is that a patch is now available and users are advised to apply it immediately.

Unauthorized access

It revolves around authentication checks on endpoints that use Lightweight Directory Access Protocol (LDAP) for external authentication, the company said. Apparently this only affects devices configured to use external authentication and LDAP. However, these items are disabled by default.

"An attacker could exploit this vulnerability by entering a specific entry on the login page of the affected device," Cisco said. "A successful exploit could allow the attacker to gain unauthorized access (opens in a new tab) to the web management interface of the affected device."

Users can check if external authentication is enabled on their device by logging in to the web management interface, navigating to System Administration > Users and looking for “Enable external authentication”.

Although installing the patch is the best way to mitigate the threat, there are other solutions, including disabling anonymous bindings on the external authentication server.

This isn't the first time Cisco has had to fix the Secure Email Gateway. Earlier this year, it fixed a flaw that allowed remote attackers to crack unpatched devices via malicious emails (opens in a new tab).

Cisco also said it will not fix a zero day found on the RV110W, RV130, RV130W and RV215W SMB routers because those devices have reached the end of their useful life, BleepingComputer discovered. Organizations using these endpoints (opens in a new tab) could be at risk, as zero-day allows attackers to execute arbitrary code with root-level privileges.

Via: BleepingComputer (Opens in a new tab)

Share This