A vulnerability in Cisco Email Security Appliance, Cisco Secure Email & Web Manager could Allow for an authentication bypass under specific conditions. Exploitation of this vulnerability could allow for an unauthenticated attacker to gain unauthorized access to the web-based management interface of the affected device.
SYSTEMS AFFECTED:
RISK:
Government:
Businesses:
Home users: Low
TECHNICAL SUMMARY:
A vulnerability in Cisco Email Security Appliance, Cisco Secure Email & Web Manager could Allow for an authentication bypass under specific conditions:
Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):
Exploitation of this vulnerability could allow for an unauthenticated attacker to gain unauthorized access to the web-based management interface of the affected device.
RECOMMENDATIONS:
We recommend the following actions be taken:
1. Apply appropriate updates provided by Cisco to vulnerable systems immediately after appropriate testing. (M1051: Update Software, M1042: Disable or Remove Feature or Program)
2. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
3. Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
REFERENCES:
Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-esa-auth-bypass-66kEcxQD
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20798