CVE-2020-3447

Name of the Vulnerable Software and Affected Versions: Cisco AsyncOS for Cisco Email Security Appliance and Cisco AsyncOS for Cisco Content Security Management Appliance (affected versions not specified)

Description: The issue is related to insufficient protection of registration data in the command-line interface of Cisco AsyncOS. It could allow a remote attacker to gain unauthorized access to sensitive information. The vulnerability is due to excessive verbosity in certain log subscriptions, which could allow an attacker to obtain sensitive log data, including user credentials, by accessing specific log files on an affected device. The attacker would need to have valid credentials at the operator level or higher to exploit this vulnerability.

Recommendations: For Cisco AsyncOS for Cisco Email Security Appliance and Cisco AsyncOS for Cisco Content Security Management Appliance, consider restricting access to log files and sensitive information to minimize the risk of exploitation. As a temporary workaround, consider disabling access to specific log subscriptions that may contain sensitive information until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.