Cisco has released software updates to address a critical vulnerability with a maximum base score of 10, which allows an attacker to change any user's password, including those belonging to administrators, without authentication.
The vulnerability, labeled CVE-2024-20419, affects the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem). Companies use this tool to manage their Cisco software licenses and administer products on their premises, such as network equipment, security products, collaboration tools, data center products, and others.
The vulnerability could allow “an unauthenticated, remote attacker to change the password of any user, including administrative users,” Cisco said in an advisory.
The company explained that improper implementation of the password-change process caused this vulnerability.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user,” the advisory reads.
All Cisco SSM On-Prem (previously called Cisco SSM Satellite) releases earlier than version 7.0 are vulnerable. There are no workarounds to address this vulnerability.
Cisco is not aware if the vulnerability has been exploited in the wild.
Customers with service contracts are receiving free software updates.
“In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release,” Cisco said.
Customers without service contracts who purchased systems directly from Cisco or third-party vendors but cannot get fixed software through their point of sale should contact the Cisco Technical Assistance Center to receive upgrades.
Your email address will not be published. Required fields are markedmarked