Researcher warns that Cisco Secure Email Gateways can easily be circumvented

A researcher revealed how to bypass some of the filters in Cisco Secure Email Gateway appliance and deliver malware using specially crafted emails.

An anonymous researcher publicly disclosed a series of techniques to bypass some of the filters in Cisco Secure Email Gateway appliance and deliver malware using specially crafted emails.

The researcher pointed out that the attack complexity is low, it also added that working exploits have already been published by a third party. The expert disclosed the technique within a coordinated disclosure procedure.

“This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time frame.” wrote the researcher on the Full Disclosure mailing list. “As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known.”

The researchers explained that Cisco Secure Email Gateways can be circumvented by a remote attacker that leverages error tolerance and different MIME decoding capabilities of email clients.

The methods disclosed by the researcher could allow attackers to bypass Cisco Secure Email Gateway, they work against several email clients, such as Outlook, Thunderbird, Mutt, and Vivaldi.

The three methods are:

• Method 1: Cloaked Base 64 – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts several Email Clients, including Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build 16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit), Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others.
• Method 2: yEnc Encoding – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts Mozilla Thunderbird 91.11.0 (64-bit) email client.
• Method 3: Cloaked Quoted-Printable – This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. The method impacts Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1 Email Clients.

Cisco published a bug report warning of an issue in the Sophos and McAfee scanning engines of Cisco Secure Email Gateway that could allow an unauthenticated, remote attacker to bypass specific filtering features.

“The issue is due to improper identification of potentially malicious emails or attachments. An attacker could exploit this issue by sending a malicious email with malformed Content-Type headers (MIME Type) through an affected device.” reads the alert. “An exploit could allow the attacker to bypass default anti-malware filtering features based on the affected scanning engines and successfully deliver malicious messages to the end clients.”

The issues impact devices running with a default configuration.

The researcher explained that the code employing the attack methods, and many similar techniques to manipulate MIME encoding, are implemented in an open-source Toolkit for generating and testing bad MIME that is available on GitHub.

known for many years and have been found in the products of several vendors.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco Secure Email Gateways)

[adrotate banner=”5″]

[adrotate banner=”13″]