Cisco Patches Two Smart Licensing Utility Vulnerabilities
Cisco patches for two critical security vulnerabilities have recently been released. Reports claim that the flaws impact Cisco’s Smart Licensing Utility and, if exploited, can allow threat actors to either elevate the privileges on a compromised system or have access to sensitive information.
In this article, we’ll cover what these vulnerabilities are and Cisco patches that need to be deployed for protection. Let’s begin!
CVE-2024-20439 And CVE-2024-20440
Before we get into the details of these vulnerabilities, it’s essential to know that both of them are not dependent on each other. In addition, Cisco, in an advisory, has also stated that these vulnerabilities are:
“Not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running.”
CVE-2024-20439 refers to the existence of an undocumented static user credential pertaining to administrative accounts. The credential can be exploited by threat actors for gaining access. As of now this flaw has a critical vulnerability severity score (CVSS) of 9.8.
Its counterpart CVE-2024-20440 is a vulnerability that has prevailed due to a debug log file. This file can be exploited by threat actors via a crafted HTTP request, allowing them to obtain credentials used for accessing the API.
Cisco Vulnerability: Affected Products
Both CVE-2024-20439 and CVE-2024-20440 were discovered during the internal security testing. It’s worth noting that these vulnerabilities do not impact the Smart Software Manager On-Prem and Smart Software Manager Satellite products. However, Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are at risk.
These versions can be breached by threat actors exploiting these vulnerabilities. As an attack mitigation and prevention strategy, individuals who use these versions should update to a fixed release. As of now, bugs or flaws within Version 2.3.0 of the software have not prevailed.
Cisco Patches: Command Injection Vulnerability
While users can deteriorate the threat of CVE-2024-20439 and CVE-2024-20440, Cisco patches for a command injection vulnerability have also been released. The vulnerability, if exploited, allows threat actors to run arbitrary commands on the operating system and can be used for privilege escalation as well.
The particular flaw is being tracked as CVE-2024-20469, has a CVSS of 6.0, and requires attackers to have administrative privileges on compromised devices. Providing further details about the flaw, Cisco stated that:
“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.”
The vulnerability impacts Cisco ISE 3.2 (3.2P7 – Sep 2024) and Cisco ISE 3.3 (3.3P4 – Oct 2024) and the company has warned that a proof-of-concept (PoC) exploit code pertaining to it already exists. However, the company is not aware of any exploitation pertaining to this vulnerability.
Conclusion
Cisco patches for vulnerabilities in the Smart Licensing Utility and Identity Services Engine highlight the importance of keeping systems updated. Users should promptly install the latest fixes to mitigate risks associated with privilege escalation and unauthorized access, safeguarding their networks from potential exploitation by threat actors. Advanced security measures should also be deployed to reduce exposure and improve security posture.
The sources for this piece include articles in The Hacker News and Cybersecurity News.