#VU68966 Use of Hard-coded Cryptographic Key in Cisco AsyncOS for Cisco Email Security Appliance and Cisco AsyncOS for Web Security Appliances - CVE-2022-20868
Vulnerability identifier: #VU68966
Vulnerability risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-321
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco AsyncOS for Cisco Email Security Appliance
Server applications /
IDS/IPS systems, Firewalls and proxy servers
Cisco AsyncOS for Web Security Appliances
Server applications /
IDS/IPS systems, Firewalls and proxy servers
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote user to escalate privileges on the device.
The vulnerability exists due to usage of a hard-coded value to encrypt a token that is used for certain API calls. A remote user can send a specially crafted HTTP request to the next-generation UI management interface, impersonate another valid user and execute commands with the privileges of that user account.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Cisco AsyncOS for Cisco Email Security Appliance: before 14.2.1-015
Cisco AsyncOS for Web Security Appliances: before 14.2.0-217
External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esasmawsa-vulns-YRuSW5mD
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc12183
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc12186
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
