Threat Advisory

Critical Flaw in Cisco Lets Attackers Bypass Authentication (002)

June 20, 2022 | By Accorian

𝗖π—₯π—œπ—§π—œπ—–π—”π—Ÿ 𝗧𝗛π—₯π—˜π—”π—§ π—”π——π—©π—œπ—¦π—’π—₯𝗬

Cisco addressed a critical vulnerability which affected the Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances. The issue was due to improper authentication checks on devices using Lightweight Directory Access Protocol (LDAP) for external authentication.

Click on the link below and see how to verify if external authentication is enabled on your appliance.

Accorian regularly sends out email alerts for such threat advisories. If you too would like to receive these Threat Advisory Alerts via email, simply drop us an email atΒ Threatadvisory@accorian.io Β 

Source:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-esa-auth-bypass-66kEcxQDΒ 

Important: Kindly make sure you add us to your safe list, so these critical mails don’t get buried in your junk folder 

Hello,

Cisco addressed a critical vulnerability which affected the Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances. The vulnerability could allow attackers to bypass authentication and login into the web management portal of Cisco. Patch for the vulnerability has already been released according to Cisco. 

The vulnerability was assigned CVE-2022-20798 and a CVSS score of 9.8. The issue is due to improper authentication checks on devices using Lightweight Directory Access Protocol (LDAP) for external authentication. According to Cisco, an attacker can exploit this vulnerability by giving a specific input on the login page of the affected device and then could access the web management portal. The vulnerability affects ESA, Secure Email and Web Manager running vulnerable AsyncOS software versions 11 and earlier, 12, 12.x, 13, 13.x, 14, and 14.x which meet the below 2 conditions:

  • The devices are configured to use external authentication
  • The devices use LDAP as the authentication protocol

To verify if external authentication is enabled on your appliance, log into the web-based management interface, then go to System Administration > Users, and look for a green check box next to “Enable External Authentication.” The vulnerability does not affect its Cisco Secure Web Appliance product or Cisco Web Security Appliance (WSA). 

Accorian recommends applying the patches at the earliest. Admins who cannot immediately install CVE-2022-20798 security updates can apply a workaround that requires disabling anonymous binds on the external authentication server.Β 

Source:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-esa-auth-bypass-66kEcxQDΒ 

Threat Advisory Team 

Accorian

Recent Post

Article

Critical Vulnerability in Ivanti’s Avalanche Enterprise MDM Solution

Ivanti, a leading technology company that offers IT asset management, security, endpoint, and supply chain solutions has released patches for seven critical and high-severity vulnerabilities in Avalanche, its Enterprise Mobile Device Management (MDM) solution. Among the vulnerabilities is the directory traversal flaw tracked down as CVE-2023-32563. It’s the most severe of the flaws with a CVSS score of 9.8. The MDM solution's updateSkin function has this directory traversal flaw that can be exploited without authentication. The problem arises from a user-supplied path not being properly validated before being used in file operations. This vulnerability can be misused by an attacker to execute remote codes.The release also addressed multiple stack-based buffer overflow bugs collectively tracked down as CVE-2023-32560 with a CVSS score of 8.8. These were discovered in the Wavelink Avalance Manager, which processes data using a fixed-size stack-based buffer. By delivering a specially written message to the service, an adversary can take advantage of this and potentially cause code execution or disrupt the service. In addition, two other high-severity remote code execution vulnerabilities CVE-2023-32562 and CVE-2023-32564 and three authentication bypass flaws CVE-2023-32561, CVE-2023-32565, and CVE-2023-32566 present in various components of the MDM solution were patched.Although none of these problems have been reported as being exploited in the wild, Accorian strongly recommends that all users of Avalanche update it to version 6.4.1.207, released earlier this month. For any further assistance, kindly reachout to us on info@accorian.com Source: Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution - SecurityWeek Threat Advisory Team Accorian

View More

Article

Microsoft RCE & EOP Vulnerability in August Patch Release

Microsoft addressed 74 CVEs in its August Patch Tuesday release, out of which 6 were rated β€œCritical” and 67 were rated β€œImportant”. Remote code execution (RCE) vulnerabilities made up 31.5% of the vulnerabilities patched, with elevation of privilege (EoP) vulnerabilities making up 24.7%. One zero-day vulnerability was also addressed in the release. Among the RCE vulnerabilities are the CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911 which have been assigned a CVSSv3 score of 9.8 and are β€œCritical”. The vulnerabilities are found in the Microsoft Message Queuing (MSMQ) component of the Windows operating system. An unauthenticated remote attacker can exploit this flaw by sending malicious MSMQ packets to a vulnerable MSMQ server, which leads to arbitrary code execution. Yet, to exploit this weakness, the susceptible server's Message Queuing service must be activated. According to Microsoft, if the service is enabled, it runs as "Message Queuing" and listens on TCP port 1801. Another β€œImportant” rated vulnerability is CVE-2023-21709 which is an EoP vulnerability found in Microsoft Exchange Server. An adversary could exploit this flaw by trying to brute force the password for valid user accounts. If exploited, the adversary can login as another user. According to Microsoft, a PowerShell script must be run after the patch has been applied. Microsoft addressed five other vulnerabilities in Microsoft Exchange Server which are tracked down as CVE-2023-38181, CVE-2023-38185, CVE-2023-35368, CVE-2023-38182 and CVE-2023-35388. The CVE-2023-38181 is a Spoofing Vulnerability which is assigned a CVSSv3 score of 8.8. If exploited, an attacker might acquire access to a user's Net-NTLMv2 hash, which could then be used to launch an NTLM Relay attack against another service to authenticate as the user. The rest are RCE vulnerabilities with scores 8.8, 8.8, 8.0 and 8.0 respectively. The CVE-2023-3182 and CVE-2023-35388 are rated β€œExploitation More Likely” by Microsoft. If exploited, an adversary could execute a code using PowerShell remoting session. To successfully exploit, the adversary would need to have LAN access and valid credentials for an Exchange user. Accorian strongly recommends patching systems as soon as they can be and routinely scanning your environment to find any systems that need to be patched. Organizations are encouraged to apply the latest Windows updates for August. Source: https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug Threat Advisory Team Accorian

View More

Article

Critical Security Zero Day Vulnerabilities in Critix products - NetScaler ADC and NetScaler Gateway

Citrix, a leading technology company, has issued a warning to its customers about a critical-severity RCE vulnerability (CVE-2023-3519) in its NetScaler ADC and NetScaler Gateway products. The severity of the issue is highlighted as critical and a CVSS score of 9.8. The exploits for this vulnerability are out in the wild and an adversary can use it to exploit Critix ADC versions up to 13.1 build 48.47.1. If this vulnerability is not fixed, adversaries would be able to exploit it to execute remote code without any authentication. The vulnerable appliance must, however, be set up as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy), or as an authentication virtual server (often known as the AAA server), for attackers to take advantage of this security weakness. Along with this Critix also addressed two other vulnerabilities: Reflected Cross-Site Scripting (CVE-2023-3466) and Privilege Escalation (CVE-2023-3467). Both being critical vulnerabilities, have a severity score of 8.3 and 8.0 respectively. The reflected cross-site scripting (XSS) issue requires a victim to load a link from an attacker on the same network. The Privilege Escalation vulnerability enables attackers to elevate privileges to those of a root administrator if they have authenticated access to the NetScaler appliances IP address (NSIP) or a SubNet IP (SNIP) with access to the management interface. Accorian strongly recommends the users of NetScaler ADC and NetScaler Gateway to update to the latest versions to fix all three issues at hand. The recommended versions are: NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0 NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP Source: New critical Citrix ADC and Gateway flaw exploited as zero-day (bleepingcomputer.com) Threat Advisory Team Accorian

View More

Article

Critical Flaw Uncovered in WordPress Plugin Used by 30,000 Websites

WordPress, the world's most popular website builder has recently published a critical vulnerability in one of their plugins, Abandoned Cart Lite for WooCommerce. The plugin is used by approximately 30,000 websites. The vulnerability has been tracked as CVE-2023-2986 and has been assigned a CVSS score of 9.8.  The vulnerability revolves around a broken access mechanism, which allows an adversary to gain unauthorized access to the accounts of users who have left their carts without completing the process of purchase basically, abandoned carts. According to the configuration of the Abandoned Cart Lite for WooCommerce plugin, a notification will be sent to customers who have not completed the process of purchasing. The notification has a link that automatically logs in the customer to the website to continue the process. Although this link contains an encrypted value that identifies the abandoned cart, the encryption key for this encrypted value is hardcoded in the plugin. This flaw allows adversaries to manipulate the abandoned cart id and gain access to the account associated with the abandoned cart. To mitigate this vulnerability, Accorian strongly recommends organizations to update the Abandoned Cart Lite for WooCommerce plugin to the latest version 5.15.1. By applying this update, users can ensure that the encryption key is no longer hardcoded, thereby preventing unauthorized access to user accounts through manipulated abandoned cart identifiers. It is also recommended to keep the site up to date with all the future updates. Source: https://www.wordfence.com/blog/2023/06/tyche-softwares-addresses-authentication-bypass-vulnerability-in-abandoned-cart-lite-for-woocommerce-wordpress-plugin/ Threat Advisory Team Accorian

View More

Article

VMware discloses 3 high severity bugs in their network monitoring tool

VMware, a provider of virtualization and cloud computing services, has released security upgrades to address three vulnerabilities in the Aria Operations for Networks weaknesses that might expose user information and allow remote code execution. The tool, named Aria, offers network visibility and analytics to speed micro-segmentation security, reduce risk during application migration, and enhance network performance. Versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 are susceptible to the attacks. CVE 2023-20887 is a command injection vulnerability with a CVSS severity score of 9.8, allowing an attacker to execute code remotely. The second, a 9.1 severity authentication deserialization flaw (CVE 2023-20888), permits remote code execution as well. A malicious actor may potentially execute remote code if they had network access to VMware Aria Operations for Networks and were an authorized member. The third vulnerability (CVE 2023-20889), rated 8.8, permits command injection attacks that could enable an attacker to get access to sensitive data. According to a statement made by VMware, there is no proof that attackers have leveraged the vulnerabilities to carry out any attacks. All three vulnerabilities have been patched, and according to VMware, there are no additional workarounds at this time. Accorian recommends applying all the patches to protect their environment. Source: https://www.vmware.com/security/advisories/VMSA-2023-0012.html Threat Advisory Team  Accorian

View More

Ready to Start?

SECURITY COMPLIANCE & ASSESSMENT SERVICES
CONSULTING & ASSESSMENT SERVICES

PENETRATION TESTING

RED TEAM ASSESMENTS

TECHNOLOGY STAFFING

Contact Info

E. info@accorian.com

T. +1-732-443-3468

Contact With Us

Office Address

Accorian Head Office

6,Alvin Ct, East Brunswick, NJ 08816 USA

Accorian Canada

Toronto

Accorian India

401,402, Prestige Towers, Residency Rd., Shanthala Nagar, Ashok Nagar, Bengaluru, Karnataka 560025, India

Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

Β© 2023 Accorian. All Rights Reserved.

Ready to Start?

Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide