The network appliances manufacturer giant Cisco published an advisory on 15 June 2022 in which Cisco detailed an authentication bypass vulnerability in Cisco ESA (Email Security Appliance) and Cisco Secure Email and Web Manager, formerly known as Cisco Security Management Appliance (SMA). The vulnerability tracked as CVE-2022-20798 is a Critical severity vulnerability with a CVSS score of 9.8 out of 10. The flaw is in the external authentication functionality of Cisco ESA and Cisco SMA that allows an unauthenticated, but unprivileged, remote attacker to bypass authentication and log in to the web management interface of an affected device. Since this flaw allows the attacker to bypass authentication and log in to the web management interface, it is most important to fix the CVE-2022-20798 vulnerability. Let’s see how to fix CVE-2022-20798, an authentication bypass vulnerability in Cisco ESA and Cisco SMA, in this post.
Short Introduction About Cisco ESA And Cisco SMA:
About Cisco ESA:
Cisco Email Security Appliance (ESA) is a powerful email security gateway that provides comprehensive protection against all types of email-based threats. ESA uses a multi-layered approach to email security that includes advanced malware protection, spam filtering, and data loss prevention (DLP). ESA also provides granular control over email content and attachments and the ability to create custom policies to meet specific business needs.
Cisco ESA is easy to deploy and manage, making it an ideal solution for businesses of all sizes. The appliance is scalable to support the changing needs of businesses and offers the flexibility to create custom policies to meet specific email security requirements. With Cisco ESA, organizations can confidently protect their email systems and data from the ever-growing threat of email-based attacks.
Key Features of Cisco ESA include:
- Multi-layered email security protection.
- Granular control over email content and attachments.
- Flexible and scalable to support changing business needs.
- Easy to deploy and manage.
For more information about Cisco ESA, please visit: https://www.cisco.com/c/en/us/products/security/email-security/index.html.
About Cisco SMA:
Cisco Secure Email and Web Manager is an on-premises email and web security gateway that helps organizations protect their email and web communications from malware, phishing, and other threats. The gateway includes a robust set of features to control inbound and outbound email traffic, filter web traffic, and block malicious content. Additionally, Cisco Secure Email and Web Manager provides granular user controls, extensive reporting capabilities, and integration with third-party anti-virus and anti-spam solutions.
Organizations can use Cisco Secure Email and Web Manager to protect their employees from malware, phishing attacks, and other online threats. The gateway’s filtering capabilities can block malicious content before it reaches users’ inboxes, while the web filtering feature can prevent users from accessing malicious websites. Additionally, the gateway provides granular user controls that allow administrators to specify which users have access to which email and web resources. Cisco Secure Email and Web Manager also includes comprehensive reporting capabilities, so organizations can track email and web traffic patterns and identify potential security threats.
Additionally, Cisco Secure Email and Web Manager integrates with leading anti-virus and anti-spam solutions to provide an additional layer of protection for email and web communications. The gateway can also be used in conjunction with Cisco’s secure web gateway solution, providing organizations with a complete solution for protecting their email and web traffic.
Cisco Secure Email and Web Manager is available as a virtual appliance or hardware appliance. It can be deployed as a standalone solution or integrated with an existing Cisco ASA firewall for added protection.
The solution provides a comprehensive set of features to secure email and web traffic, including:
- Content filtering to block spam, phishing, and malware.
- URL filtering to block malicious or inappropriate websites.
- Email encryption to protect confidential information in transit.
- Web encryption to protect data and transactions.
- Authentication to ensure only authorized users can access email and web resources.
For more information about Cisco ESA, please visit: https://www.cisco.com/c/en/us/products/security/content-security-management-appliance/index.html#~features
Summary Of CVE-2022-20798:
This is an authentication bypass vulnerability in Cisco ESA (Email Security Appliance) and Cisco Secure Email and Web Manager, formerly known as Cisco Security Management Appliance (SMA). This flaw is due to improper authentication checks when an affected device uses Lightweight Directory Access Protocol (LDAP) for external authentication. This vulnerability could allow attackers to exploit this vulnerability by entering a specific input on the login page of the affected device. The flaw allows an authenticated, but unprivileged, remote attacker to bypass authentication and log in (unauthorized access) to the web management interface of an affected device.
|Associated CVE ID||CVE-2022-20798|
|Description||An Authentication Bypass Vulnerability in Cisco ESA and Cisco SMA|
|Associated ZDI ID||–|
|CVSS Score||9.8 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||None|
|User Interaction (UI)||None|
Products Affected By CVE-2022-20798:
Cisco advisory says that this Authentication Bypass Vulnerability affects both virtual and hardware appliances of Cisco ESA and Cisco SMA products that run a vulnerable version of Cisco AsyncOS Software with these conditions. Note: This vulnerability affects only the devices on that external authentication is enabled. However, since external authentication is disabled as per the default settings on the appliances, they are considered safe.
- The devices are configured to use external authentication.
- The devices use LDAP as an authentication protocol.
Cisco ESA 14. 13. 12. 11, and earlier versions are affected by CVE-2022-20798. And Cisco SMA 14.1, 14.0, 13.8, 13.6, 13.0, 12.8, 12, 11,and earlier versions are affected by CVE-2022-20798.
How To Check Your Cisco ESA And Cisco SMA Products Are Vulnerable To CVE-2022-20798?
This vulnerability affects only the devices on which external authentication is enabled. You need to check that external authentication is enabled on your Cisco ESA and Cisco SMA devices. Let’s see how to check external authentication is enabled on your appliances.
How to Check Your Cisco ESA and Cisco SMA Products are Vulnerable to CVE-2022-20798?
- Log in to the appliances
Log in to the web-based management interface of Cisco ESA or Cisco SMA.
- Go to Users
Navigate to System Administration > Users
- Check the External Authentication is enabled
If the Enable External Authentication check box is checked in green, external authentication is enabled.
How To Fix CVE-2022-20798- An Authentication Bypass Vulnerability In Cisco ESA And Cisco SMA?
Cisco has released security patches to fix the CVE-2022-20798 vulnerability. Please refer to these two tables to see the vulnerable versions of Cisco ESA and Cisco SMA with recommended fixes. We recommend upgrading to an appropriate fixed software release, as shown in the below tables.
Note: Cisco AsyncOS earlier than v11 are marked as end-of-life and kept out of support. Since v11 and earlier don’t get the support from the vendor, Cisco suggested they migrate to a supported version.
Secure Email And Web Manager:
|Cisco AsyncOS Release||First Fixed Release|
|111 and earlier||Migrate to fixed release.|
|12||Migrate to fixed release.|
|12.8||Migrate to fixed release.|
Email Security Appliance:
|Cisco AsyncOS Release||First Fixed Release|
|Earlier than 111||Migrate to fixed release.|
|11||Migrate to fixed release.|
|12||Migrate to fixed release.|
|13||Migrate to fixed release.|
Well, Cisco has a workaround for those who can’t fix the CVE-2022-20798 vulnerability immediately. The vendor suggested disabling the anonymous binds on the external authentication server in their note. That’s it for now.
We hope this post would help you know how to fix CVE-2022-20798, an authentication bypass vulnerability in Cisco ESA and Cisco SMA. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Thank you for this informative blog. Acordis Technology & Solutions provide similar services. You can get reliable managed print & managed IT services. Visit our website for more information.
It’s our pleasure to meet through this blog! We bookmarked Acordis Technology’s page. It’s good to know about such good IT service.