===========================================================================
ZMCIRT Vulnerability Bulletin
ZMC-2022.17.08.1000
Cisco Secure Web Appliance: CVSS (Max): 6.3
18th August 2022
===========================================================================
Product: Cisco Secure Web Appliance
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20871
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-8PdRU8t8
Comment: CVSS (Max): 6.3 CVE-2022-20871 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Secure Web Appliance Privilege Escalation Vulnerability
Priority: High
Advisory ID: cisco-sa-wsa-prv-esc-8PdRU8t8
First Published: 2022 August 17 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCwb92675
CVE Names: CVE-2022-20871
CWEs: CWE-78
Summary
o A vulnerability in the web management interface of Cisco AsyncOS for Cisco
Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could
allow an authenticated, remote attacker to perform a command injection and
elevate privileges to root.
This vulnerability is due to insufficient validation of user-supplied input
for the web interface. An attacker could exploit this vulnerability by
authenticating to the system and sending a crafted HTTP packet to the
affected device. A successful exploit could allow the attacker to execute
arbitrary commands on the underlying operating system and elevate
privileges to root. To successfully exploit this vulnerability, an attacker
would need at least read-only credentials.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-8PdRU8t8
Attention : Simplifying the Cisco portfolio includes the renaming of
security products under one brand: Cisco Secure. For more information, see
Meet Cisco Secure .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco AsyncOS for Cisco Secure Web Appliance,
both virtual and hardware appliances.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Email Security Appliance (ESA), both virtual and hardware appliances
Secure Email and Web Manager, formerly Security Management Appliance
(SMA), both virtual and hardware appliances
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The right column indicates whether a release is affected by the
vulnerability that is described in this advisory and the first release that
includes the fix for this vulnerability. Customers are advised to upgrade
to an appropriate fixed software release as indicated in this section.
Cisco AsyncOS for Secure Web Appliance Release First Fixed Release
Earlier than 12.5 Not vulnerable
12.5 Release no. TBD (Sep 2022)
14.0 Release no. TBD (Aug 2022)
14.5 14.5.0-537
In most cases, the software can be upgraded over the network by using the
System Upgrade options in the web interface of the Secure Web Appliance. To
upgrade a device by using the web interface, do the following:
1. Choose System Administration > System Upgrade .
2. Click Upgrade Options .
3. Choose Download and Install .
4. Choose the release to upgrade to.
5. In the Upgrade Preparation area, choose the appropriate options.
6. Click Proceed to begin the upgrade. A progress bar displays the status
of the upgrade.
After the upgrade is complete, the device reboots.
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o Cisco would like to thank Alvaro Gutierrez of mnemonic for finding and
reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-8PdRU8t8
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-AUG-17 |
+----------+---------------------------+----------+--------+--------------+
---------------------------END INCLUDED TEXT--------------------
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Internet Email: report@cirt.zm
Telephone: 7070
ZMCIRT personnel answer during Zambian business hours
which are 8am to 5pm.
On call after hours for member emergencies only.
===========================================================================
Copyright @2023 ZAMBIA CIRT