Cisco reports critical vulnerability Cisco Smart Software Manager On-Prem, enabling change of any user's password

Cisco has addressed a critical vulnerability, tracked as CVE-2024-20419 (CVSS score 10.0), in its Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers.

Cisco Smart Software Manager On-Prem (SSM On-Prem) is a licensing solution that enables customers to manage their Cisco product licenses within their own premises, without requiring a direct connection to Cisco’s cloud-based Smart Software Manager.

The vulnerability allows attackers to change any user's password, including those of administrative users. It arises from an improper implementation in the password-change process. Threat actors can exploit this flaw by sending specially crafted HTTP requests to vulnerable devices.

According to Cisco's advisory, "A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."

The vulnerability affects Cisco SSM On-Prem (also known as Cisco Smart Software Manager Satellite (SSM Satellite)) versions earlier than Release 7.0.

Customers are advised to upgrade to an appropriate fixed software release.

• For Cisco SSM On-Prem Release versions 8-202206 and earlier users should upgrade to 8-202212
• For Cisco SSM On-Prem Release 9, it's not vulnerable

As of now, Cisco’s Product Security Incident Response Team (PSIRT) has no reports of public announcements or attacks exploiting this vulnerability. The advisory also notes that there is no workaround available for this flaw.

Update - As of 8th of August 2024, Cisco has issued a warning about an exploit code for CVE-2024-20419. While Cisco is aware of the proof-of-concept exploit, they have not yet detected any real-world exploitation of this flaw.