Critical Security Flaw in Cisco Secure Email Gateway: CVE-2024-20401

Cisco has issued an urgent security advisory regarding a critical vulnerability (CVE-2024-20401) found in its Secure Email Gateway product. This flaw, with a CVSS score of 9.8, could allow attackers to overwrite arbitrary files on the underlying operating system, potentially leading to unauthorized user creation, configuration changes, remote code execution, or even a complete shutdown of the email gateway.

The Vulnerability Details

The flaw resides in the content scanning and message filtering features of the Cisco Secure Email Gateway. It arises from improper handling of email attachments when file analysis and content filters are enabled. An attacker can exploit this vulnerability by sending a specially crafted email attachment through the affected device. Upon successful exploitation, the attacker could overwrite any file on the system, potentially leading to severe consequences such as:

• Adding users with root privileges
• Modifying device configuration
• Executing arbitrary code
• Causing a permanent denial of service (DoS) condition

Who’s Affected?

CVE-2024-20401 impacts Cisco Secure Email Gateway systems running a vulnerable release of Cisco AsyncOS, provided the following conditions are met:

• The file analysis feature (part of Cisco Advanced Malware Protection – AMP) or the content filter feature is enabled and assigned to an incoming mail policy.
• The Content Scanner Tools version is earlier than 23.3.0.4823.

Patch Now!

Cisco has addressed the vulnerability with an updated version of the Content Scanner Tools package, included by default in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later. Administrators are strongly urged to update to the latest version of the Content Scanner Tools to mitigate the risk associated with this vulnerability. Cisco has confirmed that there have been no public announcements or malicious exploitation of this vulnerability to date.