Cisco recently revealed a critical error, with a severity rating of 9.8 out of 10, in its Smart Software Manager SSM On-Prem, a tool that helps organizations manage Cisco software licensing programs and product activation keys. Cisco says this error, identified as CVE-2020-3158, could allow a hacker to access a vulnerable part of the system with a highly privileged account. In addition, the hacker it does not need to make a valid connection to “attack”, but could use a high profile default account to connect to the vulnerable system, gain read and write access to system data and change its settings.
SSM On-Prem is intended for Cisco customers who have particular and demanding security needs and do not want Cisco products to transmit data to a central SSM database over the Internet . Some customers may know it by its old name, “Cisco Smart Software Manager satellite”.
Steven Van Loo, IT consultant and founder of Belgium-based IT consulting firm hIQkru , found the default static password on SSM On-Prem in a system account that is outside the administrator’s control. Fortunately for Cisco customers worldwide, the consultant reported the error to Cisco, which fixed it with SSM On-Prem 7-202001, released in late January 2020. All devices running earlier versions have same static password.
However, it is not certain that a hacker would gain full administrator rights by linking to a static password, but could gain access to a vulnerable part of the system. SSM On-Prem systems are only vulnerable if the High Availability (HA) feature is enabled, as it is not a default setting.
Administrators can check if HA is enabled by looking at the online admin interface and checking the “high availability status” widget. If this is the case, it means that the function is on and the device is vulnerable. Administrators can also use the onprem console and type ha_status at the command prompt to determine the status of the device.
The SSM On-Prem error was the only major issue revealed in Cisco’s February 2020 update. The company has also revealed six high-severity vulnerabilities affecting its Unified Contact Center, UCS C-Series Rack Servers firmware, Appliance Security Email and Security Management Appliance and Data Center Network Manager.
The bug affecting Cisco UCS C-Series Rack Servers could allow a hacker to infiltrate a malicious image into a device, provided it has “physical” access and is certified, allowing the person to skip the controls Unified Extensible Firmware Interface (UEFI) Secure Boot verification.
Finally, the error affects the following Firepower Management Center and Secure Network Server products:
- Firepower Management Center (FMC) 2500
- Firepower Management Center (FMC) 4500
- Secure Network Server 3500 Series Appliances
- Secure Network Server 3600 Series Appliances
- Threat Grid 5504 Appliance