Cisco Patches Critical Vulnerability in Email Security Appliance

Cisco patched a serious vulnerability in its Email Security Appliance (ESA) and Secure Email and Web Manager products on Wednesday. The security flaw, identified as CVE-2022-20798 (CVSS 9.8), can be used remotely to bypass authentication and log in to the web administration interface of vulnerable appliances. When a vulnerable device uses Lightweight Directory Access Protocol (LDAP) for external authentication, this vulnerability is caused by faulty authentication checks.

If external authentication is enabled and LDAP is used as the authentication mechanism, both virtual and physical appliances running a vulnerable Cisco AsyncOS software release are vulnerable, according to Cisco. Customers using Secure Email or Web Manager should upgrade to AsyncOS versions 13.0.0-277, 13.6.2-090, 13.8.1-090, 14.0.0-418, or 14.1.0-250. AsyncOS 14.0.1-033 is recommended for ESA clients. The flaw exists because input is not properly sanitised while querying the external authentication server, as tracked by CVE-2022-20664. Read More…