Cisco Smart Software Manager On-Prem Account Takeover

By

Overview

The SonicWall Capture Labs threat research team became aware of an account takeover vulnerability in Cisco’s Smart Software Manager (SSM), assessed its impact and developed mitigation measures for the vulnerability.  Identified as CVE-2024-20419 and given a perfect CVSS of 10.0, this remote vulnerability allows an attacker to change any user’s account password on the device, including the administrator, without requiring the attacker to be authenticated.  While it is uncertain if the exploit is currently being actively exploited, a publicly available proof of concept code (PoC) is available, making exploitation more likely.  The vulnerability affects Cisco SSM On-Prem software version 8-202206 and earlier.  Cisco advises to upgrade to version 8-202212 with no other known workarounds.

Technical Overview

CVE-2024-20419 is a flaw in the OTP (One-Time Password) generation process within Cisco Smart Software Manager On-Prem. The vulnerability exists in the `/backend/reset_password/generate_code` endpoint. This endpoint is intended to allow a user to verify their identity before obtaining the OTP; however, the application incorrectly includes the OTP in the response before verification is complete. This flaw allows an attacker to use the authorization token before the OTP verification step is completed, bypassing security checks and resetting any user’s passwords, including those of administrators.

Triggering the Vulnerability

Using the publicly available PoC code, we can see that triggering the vulnerability requires two web requests to the SSM – a GET request followed by a POST request.  The GET request, as seen in Figure 1, is used to obtain the required tokens, a XSRF and session token, for the next request.

Figure 1: Obtaining required tokens using GET request

With the appropriate tokens obtained, they can be used to trigger the vulnerability by sending a post request to the vulnerable endpoint `/backend/reset_password/generate_code` as seen in Figure 2.  The vulnerability SSM will return the authentication token in the response which can be parsed out.

Figure 2: Construction POST request to trigger vulnerability

Exploitation

To exploit the information obtained by the vulnerability, the attacker uses the token to send a request to the ‘backend/reset_password’ endpoint, providing the username and authentication token obtained. This allows the attacker to provide a new password. Figure 3 demonstrates the exploitation of this vulnerability by chaining all 3 requests using the public PoC.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 20223 Cisco SSM Admin Password Reset

Remediation Recommendations

Per the Cisco advisory, customers should upgrade to Cisco SSM version 8-202212. Cisco has reported no other known workarounds at this time, so an upgrade is required. Additional industry best practices, such as implementing an IP whitelist, network segmentation and removing internet-facing access would help reduce overall risk despite not completely mitigating the issue.

Relevant Links 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.