Threat Advisory

Critical Flaw in Cisco Lets Attackers Bypass Authentication (002)

June 20, 2022 | By Accorian

𝗖𝗥𝗜𝗧𝗜𝗖𝗔𝗟 𝗧𝗛𝗥𝗘𝗔𝗧 𝗔𝗗𝗩𝗜𝗦𝗢𝗥𝗬

Cisco addressed a critical vulnerability which affected the Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances. The issue was due to improper authentication checks on devices using Lightweight Directory Access Protocol (LDAP) for external authentication.

Click on the link below and see how to verify if external authentication is enabled on your appliance.

Accorian regularly sends out email alerts for such threat advisories. If you too would like to receive these Threat Advisory Alerts via email, simply drop us an email at Threatadvisory@accorian.io  

Source:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-esa-auth-bypass-66kEcxQD 

Important: Kindly make sure you add us to your safe list, so these critical mails don’t get buried in your junk folder 

Hello,

Cisco addressed a critical vulnerability which affected the Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances. The vulnerability could allow attackers to bypass authentication and login into the web management portal of Cisco. Patch for the vulnerability has already been released according to Cisco. 

The vulnerability was assigned CVE-2022-20798 and a CVSS score of 9.8. The issue is due to improper authentication checks on devices using Lightweight Directory Access Protocol (LDAP) for external authentication. According to Cisco, an attacker can exploit this vulnerability by giving a specific input on the login page of the affected device and then could access the web management portal. The vulnerability affects ESA, Secure Email and Web Manager running vulnerable AsyncOS software versions 11 and earlier, 12, 12.x, 13, 13.x, 14, and 14.x which meet the below 2 conditions:

  • The devices are configured to use external authentication
  • The devices use LDAP as the authentication protocol

To verify if external authentication is enabled on your appliance, log into the web-based management interface, then go to System Administration > Users, and look for a green check box next to “Enable External Authentication.” The vulnerability does not affect its Cisco Secure Web Appliance product or Cisco Web Security Appliance (WSA). 

Accorian recommends applying the patches at the earliest. Admins who cannot immediately install CVE-2022-20798 security updates can apply a workaround that requires disabling anonymous binds on the external authentication server. 

Source:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-esa-auth-bypass-66kEcxQD 

Threat Advisory Team 

Accorian

Recent Post

Article

Outdated WordPress plugin abused to deploy backdoors.

WordPress is a popular open-sourced content management system (CMS). An outdated WordPress plugin known, Eval PHP enables site administrators to insert PHP code into posts and pages of WordPress websites, which is then executed when the page is loaded in the browser. The "eval" function was originally used to execute arbitrary PHP code, which can be useful in certain contexts, such as when creating dynamic templates or customizing functionality. The plugin is still available on the WordPress plugins repository despite not receiving any updates in the last ten years. However, attackers are injecting backdoors into websites using the legitimate but outdated WordPress plugin known as Eval PHP. A sudden spike in the number of installations for the plugin was observed in April 2023. The attackers sneakily install the vulnerable plugin, which is available on the official WordPress plugin repository, on an already compromised website. All WordPress administrators are advised by Accorian to check for the presence of Eval PHP, particularly if they did not install the plugin themselves. The presence of this plugin on a website indicates that it is compromised and may contain backdoors. To prevent any exploitation, admins should remove the plugin if found and protect the account by implementing robust WAF and 2FA. It is also recommended to keep the site up to date with the latest updates. Source: https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html Threat Advisory Team  Accorian

View More

Article

Critical Zero-day vulnerability in Microsoft Outlook

Microsoft recently released a patch for a new privilege escalation vulnerability (CVE-2023-23397) that impacts all versions of Microsoft Outlook on Windows. The vulnerability is being tracked as CVE-2023-23397 and holds a CVSS score of 9.8. By sending a specially crafted email, an attacker can remotely obtain hashed passwords without the victim ever having to open them. Microsoft has now officially released patches for the vulnerability, but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since mid-April 2022. Without the interaction of the user, an attacker can steal NTLM credentials by sending a malicious email. Exploitation takes place when the system's reminder is triggered, and Outlook is opened. According to Microsoft, by sending a message with an extended MAPI property and a UNC path to an SMB (TCP 445) share on a server under the attacker's control, an attacker can exploit the vulnerability to retrieve NTLM hashes. Accorian recommends that organizations update Microsoft Outlook for Windows as soon as possible. If not possible immediately, block outbound SMB (TCP port 445) and add users to the Protected Users group in Active Directory. This would limit the impact of the vulnerability. Accorian can help you identify the vulnerability in your environment. For more information. kindly reach out to us. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 Threat Advisory Team  Accorian

View More

Article

Exploit Publicly available for MS Word Remote Code Execution flaw

CVE-2023-21716, a heap corruption vulnerability that was patched by Microsoft as part of its February 2023 Patch Tuesday cycle, now has it's exploit publicly accessible. The vulnerability holds a CVSS score of 9.8 and can allow attackers to execute code remotely without needing any authentication. The flaw impacts several MS Office and SharePoint versions, as well as Microsoft 365 Apps for Enterprise. The vulnerability exists in Microsoft Word's RTF parser and is a heap corruption issue. Attackers can remotely execute code with the same level of privileges as the victim if successfully exploited. The flaw does not require prior authentication, attackers can simply send a decoy RTF file to the victim(s) via email. ‘Protected View’, a feature of Microsoft Office 2010 and later, helps to reduce the impact that a malicious document provided from untrusted sources might cause. As the vulnerability exists when ‘Protected View’ is in use, exploiting it would require an additional sandbox escape vulnerability to gain full privileges. Although Microsoft has released fixes for CVE-2023-21716, it is strongly advised that organizations patch right away because the Proof of Concept is now widely available. Microsoft has also issued temporary solutions for CVE-2023-21716. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716 Threat Advisory Team  Accorian

View More

Article

Critical Vulnerability found in Atlassian's Jira Service Management

A critical security flaw in Jira Service Management Server and Data Centre has been fixed by Atlassian. The flaw has been identified as CVE-2023-22501 (CVSS rating: 9.4) and is described as a case of broken authentication with a simple attack vector. An attacker could take advantage of the flaw to pose to another user and access affected instances without authorization. This vulnerability affects Jira Service Management Server and Data Centre versions 5.3.0 to 5.3.2 and 5.4.0 to 5.5.0, respectively. According to Atlassian, an attacker could gain access to signup tokens with write access to a User Directory and outgoing email enabled on a Jira Service Management instance. Users who have never signed into their accounts are sent the tokens. The tokens can be accessed in two ways: If the attacker has access to requests or issues on Jira that include these users, or If the attacker is forwarded or obtains access to emails containing a “View Request” link from these users. Particularly vulnerable in this case are bot accounts. Users who are synchronized to the Jira service by read-only User Directories or single sign-on (SSO) are unaffected, however instances with single sign-on, external customer accounts can be affected in projects in which anyone can make their own account. Atlassian further noted that the issue does not affect Jira sites hosted in the cloud using an atlassian[.]net domain, and no remedial action is necessary in this scenario. Accorian advises you to upgrade each of your impacted installations to 5.3.3, 5.4.2, 5.5.1, or 5.6.0 or later considering Atlassian products' recent emergence as an alluring attack vector. Source:https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html Threat Advisory Team  Accorian

View More

Article

Git affected by remote code execution attacks

Recently, Git patched 2 critical vulnerabilities which could be used to launch remote code execution attacks. The issues have been assigned CVE-2022-23521 and CVE-2022-41903. The vulnerabilities affect Git versions up to and including Git 2.39. CVE-2022-23521 affects the gitattributes mechanism. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, or when the declared attribute names are huge. CVE-2022-41903, also a critical vulnerability regarding integer overflow, can be triggered directly by a user running a command which invokes the commit formatting machinery or can be triggered indirectly through the git archive. These integer overflows may result in arbitrary heap writes, which can result in remote code execution. It is recommended that users of Windows, macOS, and Linux/Unix download and install the most recent git release, which is v2.39.1. Disable the git archive in untrusted repositories if upgrading is unfeasible. Versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been issued, according to GitLab, to resolve the issues. Customers are urged to apply the fixes with immediate effect. Accorian assures to assist all its clients. Please feel free to reach out to us if you have any questions. Source: https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/ Threat Advisory Team  Accorian

View More

    Ready to Start?

    SECURITY COMPLIANCE & ASSESSMENT SERVICES
    CONSULTING & ASSESSMENT SERVICES

    PENETRATION TESTING

    RED TEAM ASSESMENTS

    TECHNOLOGY STAFFING

    Contact Info

    E. info@accorian.com

    T. +1-732-443-3468

    Contact With Us

    Office Address

    Accorian Head Office

    6,Alvin Ct, East Brunswick, NJ 08816 USA

    Accorian Canada

    Toronto

    Accorian India

    401,402, Prestige Towers, Residency Rd., Shanthala Nagar, Ashok Nagar, Bengaluru, Karnataka 560025, India

    Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

    © 2023 Accorian. All Rights Reserved.

      Ready to Start?

      Download Case study

      Download SOC2 Guide

      Human Resources Director

      Posted On: 09 May, 2022

      Drop your CVs to joinourteam@accorian.com

        Interested Position
        First Name
        Last Name
        Email
        Total Experience
        Mobile Number
        Upload Resume
        Cancel