close
close

Critical Cisco bug lets hackers add root users on SEG devices

Posted on by darion

Cisco has fixed a critical security vulnerability that allows attackers to add new users with root privileges and permanently crash Security Email Gateway (SEG) devices via emails containing malicious attachments.

This arbitrary file write vulnerability in SEG content scanning and message filtering, identified as CVE-2024-20401, is caused by an absolute path traversal weakness that allows for the overwriting of any file in the underlying operating system.


“This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. A successful attack could allow an attacker to overwrite any file in the underlying file system,” Cisco explained.

“The attacker can then do any of the following: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a persistent denial of service (DoS) condition on the infected device.”

CVE-2024-20401 impacts SEG devices if they are running vulnerable versions of Cisco AsyncOS and the following conditions are met:

  • File analysis (part of Cisco Advanced Malware Protection) or content filtering is enabled and assigned to the inbound email policy.
  • Content Scanner Tools version is older than 23.3.0.4823

The fix for this vulnerability is being delivered to affected devices with Content Scanner Tools version 23.3.0.4823 and later. The updated version is included by default in Cisco AsyncOS for Cisco Secure Email Software versions 15.5.1-055 and later.

How to find vulnerable devices

To check if file analysis is enabled, connect to the product management web interface, go to “Mail policies > Inbound policies > Advanced Antimalware Protection > Mail policies” and check if the “Enable file analysis” option is selected.

To check if content filters are enabled, open the product web interface and check if the “Content filters” column under “Select mail policies > Inbound mail policies > Content filters” shows anything other than Disabled.

Although vulnerable SEG devices are permanently disabled from the network following successful CVE-2024-20401 attacks, Cisco recommends customers contact the Technical Assistance Center (TAC) to restart the devices, which will require manual intervention.

Cisco added that there are no workarounds available for devices affected by this vulnerability and advised all administrators to update vulnerable devices to protect them from attacks.

The company’s Product Security Incident Response Team (PSIRT) found no evidence of public exploits or attempted exploits of the CVE-2024-20401 vulnerabilities.

Cisco on Wednesday also fixed a high-severity bug that allows attackers to change the password of any user on unpatched Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers, including administrators.