Cisco has issued patches to address a critical security vulnerability in Smart Software Manager On-Prem (Cisco SSM On-Prem), which allows a remote, unauthenticated attacker to change any user’s password, including administrative users. This vulnerability, identified as CVE-2024-20419, has a CVSS score of 10.0.
According to Cisco, “This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.”
The flaw affects Cisco SSM On-Prem versions 8-202206 and earlier and has been resolved in version 8-202212. Notably, version 9 is not affected by this vulnerability. Cisco has indicated that there are no workarounds for this issue and that no known malicious exploitation has occurred. The vulnerability was discovered and reported by security researcher Mohammed Adel.
In addition, Cisco has fixed another critical vulnerability in Secure Email Gateway (CVE-2024-20401, CVSS score: 9.8) that could enable attackers to add new users with root privileges and permanently crash the appliances by sending emails with malicious attachments. Cisco explained, “An attacker could exploit this vulnerability by sending an email with a crafted attachment through an affected device. A successful exploit could allow the attacker to replace any file on the underlying file system, add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial-of-service (DoS) condition.”
This flaw affects SEG devices running vulnerable versions of Cisco AsyncOS if the file analysis feature (part of Cisco Advanced Malware Protection) or the content filter feature is enabled and assigned to an incoming mail policy, and the Content Scanner Tools version is earlier than 23.3.0.4823. A patch for CVE-2024-20401 is included in Content Scanner Tools package versions 23.3.0.4823 and later, which is included by default in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation:
– CVE-2024-34102 (CVSS score: 9.8) – Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
– CVE-2024-28995 (CVSS score: 8.6) – SolarWinds Serv-U Path Traversal Vulnerability
– CVE-2022-22948 (CVSS score: 6.5) – VMware vCenter Server Incorrect Default File Permissions Vulnerability
CVE-2024-34102, also known as CosmicSting, is a severe security flaw arising from improper handling of nested deserialization, allowing remote code execution. A proof-of-concept (PoC) exploit was released by Assetnote last month. CVE-2024-28995, a directory traversal vulnerability, allows access to sensitive files on the host machine and has been exploited to read files such as /etc/passwd, as reported by GreyNoise. The exploitation of CVE-2022-22948 has been linked by Google-owned Mandiant to a China-nexus cyber espionage group, UNC3886, known for leveraging zero-day vulnerabilities in Fortinet, Ivanti, and VMware appliances.
Federal agencies are required to implement mitigations according to vendor instructions by August 7, 2024, to protect their networks against these active threats.
, which allows a remote, unauthenticated attacker to change any user's password, including administrative users. This vulnerability, identified as CVE-2024-20419, has a CVSS score of 10.0...){kind=link}