Sign in / up

back to article Maximum-severity Cisco vulnerability allows attackers to change admin passwords

Cisco just dropped a patch for a maximum-severity vulnerability that allows attackers to change the password of any user, including admins. Tracked as CVE-2024-20419, the bug carries a maximum 10/10 CVSS 3.1 rating and affects the authentication system of Cisco Smart Software Manager (SSM) On-Prem. Cisco hasn't disclosed too …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Pascal Monett Silver badge
    Windows

    "we know that an unauthenticated remote attacker can exploit this to change passwords"

    Thank God they got rid of the real threat that was Huawei . . .

    32 5 Reply
    1. CowHorseFrog Silver badge
      Reply Icon

      Re: "we know that an unauthenticated remote attacker can exploit this to change passwords"

      i dont remember hearing of bad vunlns in H products, but it seems C is always ffeeding the news a nother new story.

      2 4 Reply
      1. ecofeco Silver badge
        Reply Icon
        Headmaster

        Re: "we know that an unauthenticated remote attacker can exploit this to change passwords"

        No "seems" about it.

        CISCO fails are a staple of El Reg reporting and have been for years.

        2 0 Reply
        1. An_Old_Dog Silver badge
          Reply Icon

          Nicknames

          Or, as the Networks Group calls them, "PissCo"!

          (Yeah, we're an all-Cisco shop, including VOIP.)

          3 0 Reply
  2. Anonymous Coward
    Boffin

    What is Cisco Smart Software Manager (CSSM)

    Me: ClippyAI, what is Cisco Smart Software Manager (CSSM) ?

    ClippyAI: Cisco Smart Software Manager (CSSM) is a web-based portal .. is a web-based application accessible via a browser. It leverages HTML, CSS, and JavaScript .. CSSM provides secure APIs, authentication tokens or API keys ...

    3 0 Reply
    1. anonymous boring coward Silver badge
      Reply Icon

      Re: What is Cisco Smart Software Manager (CSSM)

      It said "leverages".

      2 0 Reply
  3. Yorick Hunt Silver badge
    FAIL

    Let me guess...

    /setpass?user=admin&pw=newpass or something similar?

    That would certainly tie in with what I've seen elsewhere of Cisco's "brilliant" programming prowess.

    19 0 Reply
  4. NoneSuch Silver badge
    Go

    No system, no software, no security protections will ever work 100% of the time.

    Layered defenses with restrictive access and continuous oversight from multiple vendors is the only way to mitigate security issues.

    7 0 Reply
    1. Paul Crawford Silver badge
      Reply Icon
      FAIL

      No system, no software, no security protections will ever work 100% of the time.

      But some seem to only work 10% of the time.

      7 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    Vulnerability Designed In Fort Meade Many Years Ago........

    ....and, of course, the patch delivers a replacement approved in.......Fort Meade!!

    Sigh!!

    12 3 Reply
    1. DS999 Silver badge
      Reply Icon

      Re: Vulnerability Designed In Fort Meade Many Years Ago........

      This is not the type of attack spooks would want, because it lets the target know they have been compromised because their passwords are changed. They would want silent unlogged access. The attack complexity being "low" is also not what they want, they would want something no one could ever stumble upon by accident.

      9 0 Reply
      1. Tom Chiverton 1 Silver badge
        Reply Icon

        Re: Vulnerability Designed In Fort Meade Many Years Ago........

        On the other hand, as just demonstrated, very high plausible deniability.

        4 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Vulnerability Designed In Fort Meade Many Years Ago........

        Both patched vulnerabilities(*) gave you root access, and at that point, all bets are off. These bugs are about as big as they come - frankly, I'm surprised the bulletins didn't come with a warning that exploits have been seen in the wild. However, given who their friends are I suppose that such must have been kept vewwy, vewwy quiet..

        I'd say their security is Microsoft compatible.

        * There's also a biggie (CVSS score of 9.8) in their now rather ironically named "Security" Email Gateway that allows miscreants to replaces files by simply sending an email with a malicious attachment, so if you see weird file attachments in your spam folder you now know why.

        6 0 Reply
      3. Dimmer Silver badge
        Reply Icon

        Re: Vulnerability Designed In Fort Meade Many Years Ago........

        Some have more than one user on their devices or is this just adding a new one?

        Anyway, if you have a high level of paranoia, you would be logging changes it to a syslog server that will sent you an alert when something like this changes.

        0 0 Reply
  6. bjsvec

    Does anyone use this product?

    Or know anyone who does?

    0 0 Reply
  7. CowHorseFrog Silver badge

    i guess every software developer at cisco must be working for nk or r or china or all three. theres no way they could be fucking up this many times over n over again.

    2 1 Reply
  8. Anonymous Coward
    Anonymous Coward

    Or if you don't want to stand it up on-prem you can suck up the Cisco-cloudy SSM and have someone hack your routers without you or Cisco ever knowing. No, wait, they just fixed the vuln. But what brought it to their attention in the first place? I mean, whoever trails through their logs looking for compromises?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like