Cisco on Wednesday rolled out fixes to deal with a critical security flaw affecting Email Security Equipment (ESA) and Secure Email and Web Manager that could be exploited by an unauthenticated, remote attacker to sidestep authentication.
Assigned the CVE identifier CVE-2022-20798, the bypass vulnerability is rated 9.8 out of a most of 10 on the CVSS scoring technique and stems from improper authentication checks when an impacted device takes advantage of Lightweight Listing Entry Protocol (LDAP) for external authentication.
“An attacker could exploit this vulnerability by entering a unique enter on the login site of the impacted device,” Cisco famous in an advisory. “A prosperous exploit could let the attacker to achieve unauthorized obtain to the web-based administration interface of the affected unit.”
The flaw, which it stated was discovered during the resolution of a technological help middle (TAC) scenario, impacts ESA and Secure Email and Web Manager managing susceptible AsyncOS software program variations 11 and before, 12, 12.x, 13, 13.x, 14, and 14.x and when the subsequent two problems are satisfied –
- The gadgets are configured to use external authentication, and
- The units use LDAP as authentication protocol
Individually, Cisco also notified customers of a further critical flaw impacting its Tiny Enterprise RV110W, RV130, RV130W, and RV215W routers that could let an unauthenticated, remote adversary to execute arbitrary code or cause an afflicted device to restart unexpectedly, ensuing in a denial of assistance (DoS) affliction.
The bug, tracked as CVE-2022-20825 (CVSS rating: 9.8), relates to a case of inadequate user enter validation of incoming HTTP packets. Nevertheless, Cisco mentioned it neither plans to release software program updates nor workarounds to resolve the flaw, for the reason that the solutions have arrived at stop-of-life.
Discovered this report appealing? Comply with THN on Fb, Twitter and LinkedIn to examine more distinctive material we article.
Some pieces of this post are sourced from: