Cisco patches severe password reset flaw that lets hackers hijack SSM On-Prem license servers

Cisco has issued a patch that fixes a severe password weakness in many versions of its Smart Software Manager On-Prem (Cisco SSM On-Prem), used by a subset of customers to manage product licenses using an on-premises server.

The company is vague about the details of the vulnerability, identified as CVE-2024-20419 (CWE-620), but it is serious enough to earn it a maximum CVSS rating of 10.0.

It does say that the issue is in the password reset process, which can be exploited in an unspecified way to change this credential as a way of grabbing control of an SSM On-Prem server.

What is Cisco SSM On-Prem?

Normally, licenses for Cisco products are managed using Smart Software Manager (SSM), software which connects through an online platform. In terms of security, this requires sending data across the internet, and operates on a shared responsibility model.

SSM On-Prem does the same job, but keeps the license management data inside an organization’s datacenter.

Deep into the cloud age, the need to keep infrastructure on premises is still important in some organizations. Sectors using it include any whose networks experience unreliable connectivity (energy, shipping), or which can’t take security on trust (financial services, government).

Which versions are affected?

According to Cisco’s advisory, all but recent versions of SSM On-Prem are at risk, including Cisco SSM Satellite (the name of the product prior to version 7.0), which was released in 2019.

Specifically, the versions to look out for are version 8-202206 and earlier. The first fixed version is version 8-202212.  Version 9 is not affected.

When was this discovered?

The 2022 dates on those unaffected versions suggest that either the issue was inadvertently fixed some time ago as new versions appeared, or Cisco has known about the problem (which was discovered by a named researcher) for some time, and has been holding back on disclosure while it prepared a fix.

What could an attacker do?

Cisco’s advisory discusses the effects of the flaw in vague terms, mentioning that it “could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.”

“Any user” in this context would be admins, departmental heads, and some service providers managing multiple customer accounts.

Moreover, the advisory said, “An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.”

In principle, an attacker could use this access to steal licenses, or interfere with or revoke licensed features. However, it’s more likely that a compromise would be used to establish a bridgehead for lateral movement deeper inside the network.

Some better news

There’s an important qualification: any attacker exploiting the flaw would need to initiate a password change to gain access. Given how central licensing is to day-to-day network management, an organization’s admins would surely notice this very quickly. Equally, however, regaining control of a hijacked server would not be quick or easy.

Cisco said that, to date, its product security incident response team (PSIRT) is not aware of any malicious exploits targeting the vulnerability, which indicates that the issue has hopefully been contained.

The flaw in SSM On-Prem is one of 10 flaws patched by Cisco in its July update.