Researcher releases PoC codes for CVE-2022-20867 and CVE-2022-20868 flaws affecting Cisco products

by do son · November 18, 2022

On November 2, Cisco announced the release of patches for two vulnerabilities across its product portfolio, including high-severity defects in Cisco Email Security Appliance, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Next Generation Management products.

CVE-2022-20867 (CVSS score: 4.7) is a SQL Injection Vulnerability that affects Cisco ESA and Cisco Secure Email and Web Manager Next Generation Management. The issue exists because the next-generation UI management interface of Cisco ESA and Cisco Secure Email and Web Manager of impacted devices does not validation of user-submitted parameters.

“An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system,” Cisco explains.

Cisco also announced patches for CVE-2022-20868 (CVSS score: 5.4), a security vulnerability impacting Cisco ESA, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Next Generation Management. The bug could allow an authenticated, remote attacker to elevate their privileges on a vulnerable system.

The vulnerabilities were discovered by an independent security researcher working with SSD Secure Disclosure. Recently, a security researcher published two detailed reports on the flaws disclosing the technical details of the vulnerabilities.

“The specific flaw exists within the remediation_request_utils module. The issue results from the lack of proper validation of user-supplied data, which can result in SQL injection. An attacker can leverage this vulnerability to execute code in the context of root,” explains the CVE-2022-20867 write-up. However, for such an attack to work, authentication as a high-privileged user is required.

For CVE-2022-20868, the attacker would have to be authenticated, so the impact isn’t as critical. “The specific flaw exists within the jwt_api_impl module. The issue results from the usage of a static secret key to generate JWT tokens. An attacker can leverage this vulnerability to impersonate any user of the target server,” explains the CVE-2022-20868 PoC codes details.

The analyst has published extensive technical details, including a PoC exploit for CVE-2022-20868, so it is important to address the vulnerabilities as soon as possible.

The Cisco PSIRT is not aware of any public announcements or malicious use of these vulnerabilities.