New vulnerabilities found in Cisco internal testing allow remote access and scripting that could lead to the loss of sensitive user data. Credit: cisco Cisco has issued alerts for a vulnerability found in its email security and web management products that could allow an authenticated remote actor to retrieve sensitive information from an affected device.An advisory issued by Cisco this week outlined that the vulnerability—detected in the web management interface of Cisco Secure Email and Web Manager, known formerly as Cisco Security Management Appliance (CSMA), and Cisco Email Security Appliance (ESA)—allows an authenticated actor to extract sensitive information through a Lightweight Directory Access Protocol (LDAP) server connected to the affected device.This vulnerability is due to a design oversight in the querying process, according to Cisco. LDAP is an external authentication protocol for accessing and maintaining distributed directory information services on the public internet or corporate intranet.No public exploitation discovered (yet)The vulnerability was found during internal security testing and until the time of publishing the advisory Tuesday Cisco’s team was unaware of any public announcement or exploitation of the vulnerability, the company said. According to the advisory, the vulnerability has received a 7.7 CVSS score and has no workarounds. The vulnerability, with bug IDs CSCvz20942 and CSCvz40090 for virtual and hardware appliances, respectively, can be exploited provided they:Are running a vulnerable release of Cisco AsyncOS SoftwareAre configured to use external authenticationAre using LDAP as an authentication protocolThe external authentication is disabled by default and can be checked by navigating to System administration>Users> External authentication. Cisco confirmed that the vulnerability doesn’t affect Cisco Secure Web Appliance, formerly known as Cisco Web Security Appliance (WSA), a hardware plug-in for the company’s secure web gateway (SWG).Cisco has released free software updates that address the vulnerability, and can be obtained by customers with service contracts for regular software updates. Customers with no valid service contracts, or who acquired products via third-party point-of-sales, are advised to source the fixed software by contacting Cisco TAC (Technical Assistance Center).Vulnerabilities have CVSS scores ranging from 5.4 to 9.1 Cisco also revealed an additional three vulnerabilities with CVSS scores ranging from 5.4 to 9.1.The vulnerabilities include one (CVE-2022-20829) in the Cisco Adaptive Security Device Manager (ASDM) and Adaptive Secuirty Appliance (ASA) with a CVSS score of 9.1. This was deemed moderately severe, despite a high CVSS score, due to its requirement for administrative privileges from the attacker, and its relatively limited target. The vulnerability has received partial patching that requires updating both ASA software and ASDM.The second Vulnerability (CVE-2022-20828) is found in the Command Line Interface (CLI) parser of the Cisco Firepower Software for Adaptive Security Appliance Firepower module. This bug, scored at 6.5 CVSS, can allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA Firepower module as the root user, according to the security advisory. Migrating to a July release that has the fix is the only resolution for the vulnerability.Lastly, vulnerability CVE-2022-20802, found in the web interface of Cisco Enterprise Chat and Email, may allow cross-site scripting against a user of the interface for that software, and has received a severity score of 5.4. Cisco said it will resolve the vulnerability with future updates, burt did not provide a timeline for doing so. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe