Cisco has issued a critical security advisory for a vulnerability in its Cisco Smart Software Manager On-Prem licensing tool, which could allow attackers to change any user’s password, including those of administrators on license servers.
The flaw, tracked as CVE-2024-20419, affects SSM On-Prem installations earlier than Release version 7.0, also known as Cisco Smart Software Manager Satellite (SSM Satellite).
Cisco Smart Software Manager On-Prem Vulnerability
The vulnerability has been rated at the maximum severity score of 10.0 on the CVSS scale, and stems from an improper implementation of the password-change process in SSM On-Prem’s licensing authentication system.
The National Vulnerability Database provides the following description about the vulnerability:
A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device.
As a Cisco Smart Licensing component, SSM On-Prem plays a crucial role in managing customer accounts and product licenses for service providers and Cisco partners. Successful exploitation of this flaw enables attackers to send crafted HTTP requests and gain access to the web UI or API with all the privileges associated with compromised user accounts.
SSM On-Prem Disclosure and Official Patch
Cisco acknowledged the disclosure of the vulnerability and expressed appreciation for the efforts of Mohammed Adel, the researcher who reported this vulnerability.
Cisco has released software updates to address the vulnerability, and stated that there were no available workarounds. Cisco has advised customers with active service contracts to obtain the necessary security fixes through their regular update channels. Those without service contracts can contact the Cisco Technical Assistance Center (TAC) to obtain the required upgrades.
Cisco’s Product Security Incident Response Team (PSIRT) has not yet found evidence of public proof-of-concept (POC) exploits or active exploitation attempts targeting this vulnerability. However, the company urges customers to remain vigilant and regularly consult Cisco security advisories to stay informed about the latest threats and mitigation strategies.
The company has provided a clear roadmap for affected and fixed releases, as detailed in the advisory. Customers are strongly encouraged to upgrade to the appropriate fixed software release to secure their SSM On-Prem installations and protect against potential exploitation.
It is essential to ensure that devices that are to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release.
Customers are advised to regularly consult advisories for Cisco products to determine exposure and a complete upgrade solution. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads.
