Vigil@nce - Cisco ESA, SMA: privilege escalation via FTP/SLBL
April 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can use the FTP and SLBL services of
Cisco ESA and SMA, in order to escalate his privileges.
Impacted products: AsyncOS, Cisco Content SMA, Cisco ESA, IronPort
Email, IronPort Management
Severity: 2/4
Creation date: 20/03/2014
DESCRIPTION OF THE VULNERABILITY
The Cisco Email Security Appliance and Cisco Content Security
Management Appliance products use the following services:
– FTP to transfer files
– SLBL (Safelist/Blocklist) to filter emails
However, an authenticated attacker can log in via FTP to replace
the SLBL base, by a malicious base containing shell commands. He
can then send an email to start a SLBL check, which triggers the
execution of shell commands, with privileges of the root user.
An authenticated attacker can therefore use the FTP and SLBL
services of Cisco ESA and SMA, in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-ESA-SMA-privilege-escalation-via-FTP-SLBL-14451