Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco
Cisco has disclosed a critical flaw in its Cisco Smart Software Manager On-Prem product, a software-license management tool targeted at organizations with sensitive security requirements.
Cisco’s Smart Software Manager (SSM) helps organizations manage Cisco software licensing and product-activation keys, but the company has divulged that the SSM On-Prem component has a critical flaw with a severity rating of 9.8 out of 10.
Cisco says the bug, tracked as CVE-2020-3158, could allow a remote attacker to access a sensitive part of the system with a highly privileged account.
The attacker does not need a valid login to pull off an attack, Cisco warns, and could exploit it using a high-privilege default account to connect to the vulnerable system, gain read and write access to the system’s data, and change its settings.
SEE: 10 tips for new cybersecurity pros (free PDF)
The SSM On-Prem component is for Cisco customers that have “strict” security needs and which don’t want their Cisco products transmitting data to a central SSM database over the internet. Some customers might know it by its former name ‘Cisco Smart Software Manager satellite’.
IT consultant, Steven Van Loo, founder of Belgium-based IT consultancy, hIQkru, found the default static password on SSM On-Prem in a system account that’s outside the control of the administrator.
Fortunately for Cisco customers around the world, the consultant reported the bug to Cisco, which fixed it in the SSM On-Prem 7-202001, released at the end of January. Devices running earlier releases all share the same static password.
An attacker would not necessarily gain full administrative rights by logging in with the static password, but Cisco notes that an attacker could gain access to a sensitive part of the system.
SSM On-Prem systems are only vulnerable if the high availability (HA) feature has been enabled. HA is not on by default, according to Cisco.
Admins can check if HA is enabled by looking into the administrative web interface and checking for the ‘high availability status’ widget, which if present, means the feature is enabled and the device is vulnerable.
Admins can also use the onprem-console and type the ha_status command at the command line interface to determine the status of the device.
The SSM On-Prem bug was the only critical issue disclosed in Cisco’s February update. The company has also disclosed six high-severity vulnerabilities affecting its Unified Contact Center, the firmware of UCS C-Series Rack Servers, its Email Security Appliance and Security Management Appliance, and Data Center Network Manager.
The bug affecting Cisco UCS C-Series Rack Servers could allow an attacker to install a malicious image on an affected device. But, Cisco notes, the attacker needs physical access and to be authenticated, allowing the person to skip over Unified Extensible Firmware Interface (UEFI) Secure Boot validation checks.
This bug affects Firepower Management Center and Secure Network Server products listed below:
- Firepower Management Center (FMC) 1000
- Firepower Management Center (FMC) 2500
- Firepower Management Center (FMC) 4500
- Secure Network Server 3500 Series Appliances
- Secure Network Server 3600 Series Appliances
- Threat Grid 5504 Appliance
More details about these and nine more medium-severity issues are detailed in Cisco’s latest security advisories dated 19 February 2020.