Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco

Cisco urges customers using its smart licensing software to upgrade now because of a 9.8/10 severity flaw.

Cisco has disclosed a critical flaw in its Cisco Smart Software Manager On-Prem product, a software-license management tool targeted at organizations with sensitive security requirements.

Cisco's Smart Software Manager (SSM) helps organizations manage Cisco software licensing and product-activation keys, but the company has divulged that the SSM On-Prem component has a critical flaw with a severity rating of 9.8 out of 10

Cisco says the bug, tracked as CVE-2020-3158, could allow a remote attacker to access a sensitive part of the system with a highly privileged account.

The attacker does not need a valid login to pull off an attack, Cisco warns, and could exploit it using a high-privilege default account to connect to the vulnerable system, gain read and write access to the system's data, and change its settings. 

SEE: 10 tips for new cybersecurity pros (free PDF)

The SSM On-Prem component is for Cisco customers that have "strict" security needs and which don't want their Cisco products transmitting data to a central SSM database over the internet. Some customers might know it by its former name 'Cisco Smart Software Manager satellite'.  

IT consultant, Steven Van Loo, founder of Belgium-based IT consultancy, hIQkru, found the default static password on SSM On-Prem in a system account that's outside the control of the administrator. 

Fortunately for Cisco customers around the world, the consultant reported the bug to Cisco, which fixed it in the SSM On-Prem 7-202001, released at the end of January. Devices running earlier releases all share the same static password.   

An attacker would not necessarily gain full administrative rights by logging in with the static password, but Cisco notes that an attacker could gain access to a sensitive part of the system. 

SSM On-Prem systems are only vulnerable if the high availability (HA) feature has been enabled. HA is not on by default, according to Cisco. 

Admins can check if HA is enabled by looking into the administrative web interface and checking for the 'high availability status' widget, which if present, means the feature is enabled and the device is vulnerable. 

Admins can also use the onprem-console and type the ha_status command at the command line interface to determine the status of the device. 

The SSM On-Prem bug was the only critical issue disclosed in Cisco's February update. The company has also disclosed six high-severity vulnerabilities affecting its Unified Contact Center, the firmware of UCS C-Series Rack Servers, its Email Security Appliance and Security Management Appliance, and Data Center Network Manager. 

SEE: Cisco: Patch this critical firewall bug in Firepower Management Center

The bug affecting Cisco UCS C-Series Rack Servers could allow an attacker to install a malicious image on an affected device. But, Cisco notes, the attacker needs physical access and to be authenticated, allowing the person to skip over Unified Extensible Firmware Interface (UEFI) Secure Boot validation checks. 

This bug affects Firepower Management Center and Secure Network Server products listed below:   

  • Firepower Management Center (FMC) 1000 
  • Firepower Management Center (FMC) 2500
  • Firepower Management Center (FMC) 4500 
  • Secure Network Server 3500 Series Appliances
  • Secure Network Server 3600 Series Appliances
  • Threat Grid 5504 Appliance

More details about these and nine more medium-severity issues are detailed in Cisco's latest security advisories dated 19 February 2020

More on Cisco and network security

  • Cisco: Patch this critical firewall bug in Firepower Management Center  
  • Critical Cisco DCNM flaws: Patch right now as PoC exploits are released  
  • Cisco critical bugs: Nexus data center switch software needs patching now  
  • Cisco: All these routers have the same embedded crypto keys, so update firmware  
  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • New Cisco critical bugs: 9.8/10-severity Nexus security flaws need urgent update
  • Cisco critical-flaw warning: These two bugs in our data-center gear need patching now
  • Cisco alert: Patch this dangerous bug open to remote attacks via malicious ads
  • Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear
  • Cisco's warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches
  • Cisco warns over critical router flaw
  • Cisco: These are the flaws DNS hijackers are using in their attacks
  • Cisco bungled RV320/RV325 patches, routers still exposed to hacks
  • Cisco tells Nexus switch owners to disable POAP feature for security reasons
  • Cisco: Patch routers now against massive 9.8/10-severity security hole
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET