Critical vulnerability in Cisco Smart Software Manager On-Prem exposes systems to unauthorized password changes, exploit code now available.

Background

On July 17, 2024, Cisco published an advisory for a for a critical vulnerability in Cisco’s Smart Software Manager On-Prem (SSM On-Prem):

Analysis

CVE-2024-20419 is an unverified password change weakness within the Cisco SSM On-Prem interface due to improper validation. Specifically, the flaw allows an unauthenticated, remote attacker to exploit an insufficient authentication mechanism, changing the password of any user by sending specially crafted HTTP requests without prior knowledge of the existing password. The vulnerability affects Cisco SSM On-Prem version 8-202206 and earlier, including releases prior to 7.0 where the product was named Cisco SSM Satellite.

Successful exploitation could result in access to the web interface or API of Cisco SSM On-Prem in the context of the compromised user account. The vulnerability is considered critical as the complexity of the attack is low and could lead to full administrative control over the SSM On-Prem instance. This control could be used to disrupt the organization’s software management processes, gain unauthorized access to sensitive resources and potentially carry out further attacks within the network.

On August 7, 2024, Cisco updated their advisory to reflect that public proof-of-concept (PoC) exploit code was now available, heightening the urgency to patch.

Proof of concept

On July 20, 2024, Mohammed Adel, a penetration tester with a previous history of developing exploits, published a detailed writeup explaining the root cause of the vulnerability and his PoC exploit code. The writeup also visually demonstrates the PoC being leveraged against an administrative account to change the password highlighting the vulnerabilities ease of exploitation.

Credit: Mohammeds writeup

Solution

Cisco has issued patches for all affected versions of Cisco SSM On-Prem. At the time of this blog there is no indication of exploitation in-the-wild, but with exploit code publicly available, administrators are strongly advised to apply these patches without delay to mitigate the risk of exploitation. The following table reflects affected and patched versions:

Cisco has highlighted that there are no workarounds for this vulnerability.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-20419 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.