Cisco has recently addressed a critical security vulnerability within its Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers. This vulnerability, assigned the identifier CVE-2024-20419, poses a significant risk as it allows attackers to alter any user’s password, including those of administrators, without prior authentication. Systems running SSM On-Prem versions earlier than Release 7.0, also known as Cisco Smart Software Manager Satellite (SSM Satellite), are particularly susceptible to this flaw.
Functionality of SSM On-Prem
SSM On-Prem plays a crucial role within Cisco's Smart Licensing framework, enabling service providers and Cisco partners to efficiently manage customer accounts and product licenses. Given its integral function, the security of this system is paramount.
Technical Details
The vulnerability stems from an unverified password change weakness in the authentication mechanism of SSM On-Prem. This flaw permits unauthenticated, remote attackers to reset user passwords by sending specially crafted HTTP requests to the affected device.
Cisco elaborated on the nature of the vulnerability, stating, "This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."
Impacted Versions and Solutions
Cisco SSM On-Prem versions 8-202206 and earlier are affected by this vulnerability. The first fixed release for these versions is 8-202212. Versions in the 9 release line are not vulnerable. Cisco advises that there are no available workarounds for systems impacted by this vulnerability. Administrators must upgrade to the fixed release versions to secure their servers and maintain the integrity of their environments.
Current Threat Landscape
Cisco's Product Security Incident Response Team (PSIRT) has not yet observed any public proof of concept exploits or exploitation attempts targeting this specific vulnerability. However, the critical nature of the flaw necessitates immediate action.
Earlier this month, Cisco addressed another critical issue, an NX-OS zero-day vulnerability (CVE-2024-20399), which had been actively exploited to install unknown malware as root on vulnerable MDS and Nexus switches. In addition, Cisco previously disclosed two other zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359), which were being exploited by a state-sponsored hacking group identified as UAT4356 and STORM-1849. These exploits, part of a campaign known as ArcaneDoor, have targeted government networks globally since November 2023, leveraging vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls.
To Sum Up
The discovery of CVE-2024-20419 underscores the importance of maintaining up-to-date systems and promptly addressing security advisories. IT professionals and system administrators are urged to apply the necessary updates to mitigate the risks associated with this critical vulnerability. Vigilance and proactive security measures are essential in safeguarding network infrastructure against emerging threats.
