Critical Vulnerability in Cisco SSM On-Prem Allows Hackers to Alter User Passwords

July 17, 2024

Cisco has addressed a critical vulnerability in its Cisco Smart Software Manager On-Prem (SSM On-Prem) license servers that allowed attackers to alter the passwords of any user, including those of administrators. The vulnerability also has implications for SSM On-Prem installations that predate Release 7.0, previously recognized as Cisco Smart Software Manager Satellite (SSM Satellite). As a component of Cisco Smart Licensing, SSM On-Prem aids service providers and Cisco partners in managing customer accounts and product licenses.

The security flaw, referred to as CVE-2024-20419, originates from an unchecked password change issue in the SSM On-Prem's verification system. Successful exploitation of this flaw could enable unauthenticated, remote hackers to establish new user passwords without knowledge of the original credentials. As Cisco clarified, 'This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device.'

A successful attack could allow the intruder to access the web UI or API with the compromised user's privileges. Cisco has stated that there are no available workarounds for systems affected by this security flaw. Therefore, administrators must update to a secure release to protect vulnerable servers in their network.

Cisco's Product Security Incident Response Team (PSIRT) has not yet discovered any evidence of public proof of concept exploits or attempts to exploit this vulnerability. Earlier this month, Cisco patched a zero-day vulnerability (CVE-2024-20399) that had been leveraged to install previously undiscovered malware as root on susceptible MDS and Nexus switches since April.

In April, Cisco also issued a warning that a state-sponsored hacking group, identified as UAT4356 and STORM-1849, had been exploiting two other zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359). Since November 2023, these vulnerabilities have been used against Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls in a campaign known as ArcaneDoor, targeting government networks globally.

Related News

• CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities
• CISA Includes Cisco NX-OS Command Injection Vulnerability in its Known Exploited Vulnerabilities Catalog
• Cisco Patches NX-OS Zero-Day Exploited by Chinese Threat Actor Velvet Ant
• China-Linked Actors Suspected in ArcaneDoor Cyber Espionage Targeting Network Devices
• CISA Adds Cisco and CrushFTP Flaws to Known Exploited Vulnerabilities Catalog

Latest News

• CISA Issues Warning on Active Exploitation of GeoServer GeoTools RCE Vulnerability
• Void Banshee APT Exploits Microsoft Zero-Day to Launch Spear-Phishing Attacks
• HardBit Ransomware 4.0 Utilizes Passphrase Protection to Elude Detection
• Rapid Exploitation of PoC Exploits by Hackers: A Cloudflare Security Report
• Critical Vulnerability in Exim Mail Servers Affects 1.5 Million Instances