Cisco SSM On-Prem and Cisco Secure Email Gateway are affected by critical vulnerabilities

Threat ID:CC-4526

Threat Severity:Medium

Published:18 July 2024 2:13 PM

Summary

Affected platforms

The following platforms are known to be affected:

Cisco Smart Software Manager

Cisco Secure Email Gateway

The following platforms are also known to be affected:

Multiple other products are affected. Please see advisories below.

Threat details

Public proof-of-concept exploit available for CVE-2024-20419

The NHS England National CSOC assesses that imminent exploitation of CVE-2024-20419 is highly likely and strongly encourages organisations to follow the remediation guidance in Cisco Security Advisory cisco-sa-cssm-auth-sLw3uhUy.

CVE-2024-20419 affects Cisco Smart Software Manager On-Prem (SSM On-Prem) and Smart Software Manager Satellite (SSM Satellite). CVE-2024-20419 is extremely trivial to exploit, and a public exploit is available.

Introduction

Cisco has released advisories covering multiple products including two critical vulnerabilities, three high, and four medium severity. The two critical vulnerabilities are known as CVE-2024-20419 and CVE-2024-20401.

CVE-2024-20419 affects Cisco Smart software Manager (SSM) On-Prem and has a CVSSv3 score of 10 and could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. A public exploit is available.

CVE-2024-20401 affects Cisco Secure Email Gateway and has a CVSSv3 score of 9.8 and could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system (OS). This could allow an attacker to then add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial-of-service (DoS).

Additionally, two previous advisories regarding the regreSSHion (OpenSSH server RCE) vulnerability and the Blast-RADIUS (RADIUS protocol spoofing) vulnerability were updated.

Threat updates


25 Sep 2024	A public exploit for CVE-2024-20419 is available.
22 Jul 2024	Exploitation of CVE-2024-20419 highly likely

Remediation advice

Affected organisations are encouraged to review the following Cisco Security Advisories for more information.

Remediation steps


Patch	Cisco Smart Software Manager On-Prem Password Change Vulnerability \| cisco-sa-cssm-auth-sLw3uhUy https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
Patch	Cisco Secure Email Gateway Arbitrary File Write Vulnerability \| cisco-sa-esa-afw-bGG2UsjH https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH
Patch	RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 \| cisco-sa-radius-spoofing-july-2024-87cCDwZ3 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3
Patch	Cisco Secure Web Appliance Privilege Escalation Vulnerability \| cisco-sa-swa-priv-esc-7uHpZsCC https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-swa-priv-esc-7uHpZsCC
Patch	Cisco Identity Services Engine Arbitrary File Upload Vulnerability \| cisco-sa-ise-file-upload-krW2TxA9 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-file-upload-krW2TxA9
Patch	Cisco Intelligent Node Software Static Key Vulnerability \| cisco-sa-inode-static-key-VUVCeynn https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-inode-static-key-VUVCeynn
Patch	Cisco Webex App Vulnerabilities \| cisco-sa-webex-app-ZjNm8X8j https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-ZjNm8X8j
Patch	Cisco RV340 and RV345 Dual WAN Gigabit VPN Routers Authenticated Remote Code Execution Vulnerability \| cisco-sa-sb-rv34x-rce-7pqFU2e https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv34x-rce-7pqFU2e
Patch	Cisco Expressway Series Open Redirect Vulnerability \| cisco-sa-expressway-redirect-KJsFuXgj https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-redirect-KJsFuXgj
Patch	Cisco Secure Email Gateway Server-Side Template Injection Vulnerability \| cisco-sa-esa-priv-esc-ssti-xNO2EOGZ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-priv-esc-ssti-xNO2EOGZ
Patch	Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024 \| cisco-sa-openssh-rce-2024 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssh-rce-2024

Definitive source of threat updates

https://sec.cloudapps.cisco.com/security/center/publicationListing.x

CVE Vulnerabilities

StatusPublished

CVE-2024-20419A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.

StatusPublished

CVE-2024-20401A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system. This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device. A successful exploit could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device. Note: Manual intervention is required to recover from the DoS condition. Customers are advised to contact the Cisco Technical Assistance Center (TAC) to help recover a device in this condition.

Last edited: 25 September 2024 1:52 pm