Cisco has revealed a significant security flaw in its Smart Software Manager On-Prem (SSM On-Prem), scoring a perfect 10.0 on the Common Vulnerability Scoring System (CVSS) scale. This vulnerability, CVE-2024-20419, was announced on July 17.
SSM On-Prem is a Cisco product designed for managing software licenses within an organization’s network infrastructure, specifically in environments where cloud-based solutions are not viable or preferred due to security or compliance requirements. It enables IT administrators to automate license management, monitor usage, and ensure compliance with licensing agreements, all from within the organization’s local network.
The vulnerability disclosed lies in Cisco SSM On-Prem’s authentication system. According to Cisco, an attacker can change the password of any user, including administrators, without needing to log in first. This flaw stems from how the password-change process was implemented. By sending specially crafted HTTP requests, attackers can exploit this vulnerability to gain control over the affected system with the same level of access as the compromised user.
A CVSS score 10.0 indicates this vulnerability is easy to exploit and can have severe consequences. In this case, attackers can exploit it over a network without needing any special privileges or user interaction, making it a high-risk issue.
However, because SSM On-Prem is primarily used in local networks, the day-to-day potential for exploitation might be lower unless remote access is poorly secured or the internal network is already compromised. If an attacker gains administrative access, they could disrupt operations, steal sensitive information, or cause significant damage.
This vulnerability affects Cisco SSM On-Prem and its earlier version, Cisco Smart Software Manager Satellite (SSM Satellite). Cisco has confirmed that the Cisco Smart Licensing Utility is not affected.
Cisco says that, unfortunately, there are no workarounds for this vulnerability. The only solution is to apply the software updates Cisco has released. For instance, versions up to 8-202206 should be updated to 8-202212. Cisco SSM On-Prem Release 9 is not affected.
Organizations using the affected software should immediately install Cisco’s updates to secure their systems. Cisco has made these updates available for free, and customers can obtain them through their usual update channels or by contacting Cisco support.
At the time of disclosure, Cisco said they were unaware of any malicious use of this vulnerability. Security researcher Mohammed Adel reported the issue, and Cisco promptly addressed it.
This vulnerability is part of a series of security advisories that Cisco released on July 17. Another notable vulnerability that we covered is an arbitrary file write in Cisco Secure Email Gateway.
