Maximum-severity Cisco vulnerability allows attackers to change admin passwords

Cisco just dropped a patch for a maximum-severity vulnerability that allows attackers to change the password of any user, including admins.

Tracked as CVE-2024-20419, the bug carries a maximum 10/10 CVSS 3.1 rating and affects the authentication system of Cisco Smart Software Manager (SSM) On-Prem.

Cisco hasn't disclosed too many details about this, which is more than understandable given the nature of the vulnerability. However we know that an unauthenticated remote attacker can exploit this to change passwords. It's hardly ideal, and should be patched as soon as possible.

Digging into the severity assessment, the attack complexity was deemed "low": no privileges or user interaction would be required to pull it off, and the impact on the product's integrity, availability, and confidentiality is all designated "high." 

"This vulnerability is due to improper implementation of the password-change process," Cisco's advisory reads, providing the last few details about the vulnerability. 

"An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."

There are no workarounds for this vulnerability, so get those patches applied if you're in the business of keeping your passwords safe and secure. Fortunately, there are no signs of this being exploited in the wild yet, but now the cat's out of the bag it likely won't be long before that changes.

CVE-2024-20419 affects both SSM On-Prem and SSM Satellite. They're different names for the same product, only the latter refers to versions before release 7.0.

For versions 8-202206 and earlier, organizations should upgrade to 8-202212, or better still, version 9 which is unaffected by the vulnerability.

Cisco hasn't mentioned anything about how many of its customers are potentially affected by this flaw, although a recently updated whitepaper [PDF] about SSM On-Prem authored by Cisco says the product "is most often the go-to solution used by financial institutions, utilities, service providers, and government organizations."

Despite being a product targeted at all customers, the industries in which it's most commonly used suggests successful attacks could lead to some pretty nasty outcomes that affect supply chains.

The vulnerability is the standout bug among a slew of issues fixed by Cisco on Wednesday. It was one of two critical flaws addressed with security updates alongside CVE-2024-20401 (9.8), an issue with Cisco Secure Email Gateway that allows an unauthenticated attacker to overwrite arbitrary files on the underlying operating system.

• Google reportedly in talks to buy infosec outfit Wiz for $23 billion
• You had a year to patch this Veeam flaw – and now it's going to hurt some more
• No rest for the wiry as Cisco Nexus switches flip out over latest zero-day
• Nvidia CEO brushes off Big Tech's attacks on NVLink network tech

Also addressed in an advisory was the Blast RADIUS vulnerability disclosed earlier this month by security experts across the private sector and academia.

While Cisco hasn't released any patches for this yet, the advisory lists all the products that are confirmed to be affected and not affected by Blast RADIUS, as well as a sprawling list of products still under investigation. 

The vendor pointed to known mitigations for the vuln, but reminded customers that applying them may degrade performance. The advisory will be updated as Cisco's investigation continues.  ®