CVE-2020-3245 in Smart Software Manager On-Preminfo

Summary

by MITRE

A vulnerability in the web application of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to create arbitrary user accounts. The vulnerability is due to the lack of authorization controls in the web application. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to add user accounts to the configuration of an affected device. These accounts would not be administrator or operator accounts.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 10/24/2020

The vulnerability identified as CVE-2020-3245 resides within Cisco Smart Software Manager On-Prem (SSM On-Prem) web application components, representing a critical authorization flaw that undermines the system's security posture. This weakness manifests as a complete absence of proper access controls within the web interface, creating an exploitable pathway for unauthorized actors to manipulate the device's user account configuration. The vulnerability specifically affects the authentication and authorization mechanisms that should normally prevent arbitrary user creation, leaving the system exposed to remote exploitation without requiring any prior credentials or privileged access.

The technical exploitation of this vulnerability occurs through the manipulation of HTTP requests sent to the affected device's web application interface. Attackers can craft specific HTTP requests that bypass normal authentication requirements and directly invoke the user account creation functionality. This flaw operates at the application layer where proper input validation and access control checks are missing, allowing attackers to inject malicious requests that result in the creation of new user accounts within the system configuration. The vulnerability's impact is particularly concerning because it enables attackers to establish persistent access points within the device's user management system, potentially allowing them to maintain long-term presence within the network environment.

From an operational perspective, this vulnerability creates significant risks for organizations deploying Cisco SSM On-Prem solutions, as it provides attackers with the capability to establish unauthorized accounts that can be used for further exploitation or persistent access. While the created accounts are not administrator or operator level accounts, they still represent a foothold within the system that could be leveraged for additional attacks or used to gain deeper access through privilege escalation attempts. The remote nature of the exploit means that attackers can target vulnerable devices from outside the network perimeter, potentially compromising devices that are not directly exposed to external traffic but still maintain web application interfaces.

Organizations should implement immediate mitigations including network segmentation to isolate affected devices, deployment of web application firewalls to monitor and filter malicious HTTP requests, and implementation of access control lists that restrict access to the web application interface. The vulnerability aligns with CWE-284 which describes improper access control issues, and represents a clear violation of the principle of least privilege as defined in cybersecurity best practices. From an attack framework perspective, this vulnerability maps to the privilege escalation and persistence phases of the MITRE ATT&CK framework, where attackers can establish footholds within systems through unauthorized account creation. Additionally, the lack of proper authorization controls demonstrates a failure to implement defense in depth principles, as the system should have multiple layers of access control checks rather than relying on a single point of failure.

Reservation

12/12/2019

Moderation

accepted

CPE

ready

EPSS

0.01207

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!