Cisco Secure Email bug can let attackers bypass authentication

Cisco notified customers this week to patch a critical vulnerability that could allow attackers to bypass authentication and login into the web management interface of Cisco email gateway appliances with non-default configurations.

The security flaw (tracked as CVE-2022-20798) was found in the external authentication functionality of virtual and hardware Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances.

CVE-2022-20798 is due to improper authentication checks on affected devices using Lightweight Directory Access Protocol (LDAP) for external authentication.

"An attacker could exploit this vulnerability by entering a specific input on the login page of the affected device," Cisco explained.

"A successful exploit could allow the attacker to gain unauthorized access to the web-based management interface of the affected device."

An advisory published on Wednesday says the bug was discovered during the resolution of a Cisco TAC (Technical Assistance Center) support case.

Cisco's Product Security Incident Response Team (PSIRT) said it's not aware of any publicly available exploits for this security bug or malicious use of the vulnerability in the wild.

Doesn't affect default configurations

This bug only affects appliances configured to use external authentication and LDAP as the authentication protocol.

Luckily, according to Cisco, the external authentication feature is disabled by default, meaning only devices with non-default configurations are impacted.

To check if external auth is enabled on your appliance, log into the web-based management interface, go to System Administration > Users, and look for a green check box next to "Enable External Authentication."

Cisco also says this vulnerability does not affect its Cisco Secure Web Appliance product, previously known as Cisco Web Security Appliance (WSA).

Admins who cannot immediately install CVE-2022-20798 security updates can also apply a workaround that requires disabling anonymous binds on the external authentication server.

Another Secure Email gateway flaw patched in February could allow remote attackers to crash unpatched appliances using maliciously crafted email messages.

Today, Cisco also announced it wouldn't fix a critical zero-day bug affecting end-of-life RV110W, RV130, RV130W, and RV215W SMB routers, allowing attackers to execute arbitrary commands with root-level privileges.