Cyber Defense Advisors

Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager

Cisco has released patches to address a maximum-severity security flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users, including those belonging to administrative users.

The vulnerability, tracked as CVE-2024-20419, carries a CVSS score of 10.0.

“This vulnerability is due to improper implementation of the password-change process,” the company said in an advisory. “An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.”

The shortcoming affects Cisco SSM On-Prem versions 8-202206 and earlier. It has been fixed in version 8-202212. It’s worth noting that version 9 is not susceptible to the flaw.

Cisco said there are no workarounds that resolve the issue, and that it’s not aware of any malicious exploitation in the wild. Security researcher Mohammed Adel has been credited with discovering and reporting the bug.

Also fixed by the networking equipment maker is another critical file write vulnerability in Secure Email Gateway (CVE-2024-20401, CVSS score: 9.8) that lets attackers add new users with root privileges and permanently crash the appliances using emails with malicious attachments.

“An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device,” it noted. “A successful exploit could allow the attacker to replace any file on the underlying file system.”

“The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial-of-service (DoS) condition on the affected device.”

The flaw affects SEG devices if it is running a vulnerable release of Cisco AsyncOS and if the following prerequisites are met –

The file analysis feature (part of Cisco Advanced Malware Protection) or the content filter feature is enabled and assigned to an incoming mail policy
The Content Scanner Tools version is earlier than 23.3.0.4823

A patch for CVE-2024-20401 is available via Content Scanner Tools package versions 23.3.0.4823 and later, which is included by default in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.

CISA Adds 3 Flaws to KEV Catalog

The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation –

CVE-2024-34102 (CVSS score: 9.8) – Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
CVE-2024-28995 (CVSS score: 8.6) – SolarWinds Serv-U Path Traversal Vulnerability
CVE-2022-22948 (CVSS score: 6.5) – VMware vCenter Server Incorrect Default File Permissions Vulnerability

CVE-2024-34102, which is also referred to as CosmicSting, is a severe security flaw arising from improper handling of nested deserialization, allowing attackers to achieve remote code execution. A proof-of-concept (PoC) exploit for the flaw was released by Assetnote late last month.

Reports about the exploitation of CVE-2024-28995, a directory transversal vulnerability that could enable access to sensitive files on the host machine, were detailed by GreyNoise, including attempts to read files such as /etc/passwd.

The abuse of CVE-2022-22948, on the other hand, has been attributed by Google-owned Mandiant to a China-nexus cyber espionage group known as UNC3886, which has a history of leveraging zero-day flaws in Fortinet, Ivanti, and VMware appliances.

Federal agencies are required to apply mitigations per vendor instructions by August 7, 2024, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.