Reading:
Cisco Fixed Critical Authentication Bypass Vulnerability Affecting Some Products

Cisco Fixed Critical Authentication Bypass Vulnerability Affecting Some Products

June 16, 2022

Cisco fixed a vulnerability discovered in the external authentication functionality of Secure Email and Web Manager. The vulnerability could allow threat actors to bypass authentication and log on to the web. The vulnerability tracked as CVE-2022-20798 has a 9.8 CVSS score.

How Does the Vulnerability Affect?

When a critically vulnerable device uses LDAP (Lightweight Directory Access Protocol) for external authentication, it performs insufficient authentication checks, creating a favorable condition for potential attacks.

Attackers can exploit the vulnerability with a specially crafted entry on the login screens of affected devices. After a successful exploit, they can gain access to the device’s web-based management interface.

Which Products Are Affected?

The vulnerability, code CVE-2022-20798, affects 11 and earlier, 12, 12.x, 13, 13.x, 14, and 14.x versions of Cisco ESA and Cisco Secure Email and Web Manager products running a vulnerable version of Cisco AsyncOS. Cisco underlines two conditions for the vulnerability to be exploited.

  1. Devices are configured to use external authentication.
  2. Devices using LDAP as the authentication protocol.

Cisco adds that external authentication is turned off in the default settings, and customers who turn on this setting are vulnerable to vulnerability.

Cisco Released Workaround and Patch

Cisco stated there is no evidence of any exploit so far, and released both the workaround and the patches. The company recommends disabling anonymous connections on the server with external authentication as a workaround. Although this solution did well in testing, it is strongly recommended that customers apply the latest security updates.

The patched products and versions are as follows:

Secure Email and Web Manager

Cisco AsyncOS Release

Fixed Release

11 and earlier

Recommended to upgrade to a patched version.

12

Recommended to upgrade to a patched version.

12.8

Recommended to upgrade to a patched version.

13.0

13.0.0-277

13.6

13.6.2-090

13.8

13.8.1-090

14.0

14.0.0-418

14.1

14.1.0-250

Email Security Appliance

Cisco AsyncOS Release

Fixed Release

11 and earlier

Recommended to upgrade to a patched version.

11

Recommended to upgrade to a patched version.

12

Recommended to upgrade to a patched version.

13

Recommended to upgrade to a patched version.

14

14.0.1-033

Use SOCRadar® FOR FREE 1 YEAR

With SOCRadar® Free Edition, you’ll be able to:

  • Prevent Ransomware attacks with Free External Attack Surface Management
  • Get Instant alerts for fraudulent domains against phishing and BEC attacks
  • Monitor Deep Web and Dark Net for threat trends
  • Get vulnerability intelligence when a critical zero-day is disclosed
  • Get IOC search & APT tracking & threat hunting in one place
  • Get notified with data breach detection

Free for 12 months for one corporate domain and 100 auto-discovered digital assets. Get Free Access.