Cisco has issued security updates to address two critical vulnerabilities in its Smart Licensing Utility, which could allow unauthenticated remote attackers to elevate privileges or access sensitive information. The flaws, identified as CVE-2024-20439 and CVE-2024-20440, were discovered during internal security testing and have a CVSS score of 9.8 each.
Key Takeaways
CVE-2024-20439: Undocumented static user credential for an administrative account.
CVE-2024-20440: Excessively verbose debug log file accessible via crafted HTTP request.
Both vulnerabilities require the Cisco Smart Licensing Utility to be actively running.
Affected versions: 2.0.0, 2.1.0, and 2.2.0.
Fixed in version 2.3.0.
Smart Software Manager On-Prem and Smart Software Manager Satellite products are not affected.
Vulnerability Details
CVE-2024-20439
This vulnerability involves an undocumented static user credential for an administrative account. An attacker could exploit this flaw to log in to an affected system, potentially gaining unauthorized access and elevated privileges.
CVE-2024-20440
This flaw arises from an excessively verbose debug log file. An attacker could exploit this by sending a crafted HTTP request to access these log files and obtain credentials that can be used to access the API.
Mitigation and Recommendations
Cisco advises users of the affected versions (2.0.0, 2.1.0, and 2.2.0) to update to the fixed release, version 2.3.0. The company has confirmed that these vulnerabilities are not exploitable unless the Cisco Smart Licensing Utility is actively running.
Additional Security Updates
Cisco has also released updates to address a command injection vulnerability in its Identity Services Engine (ISE), tracked as CVE-2024-20469, with a CVSS score of 6.0. This flaw could allow an authenticated local attacker to run arbitrary commands on the underlying operating system and elevate privileges to root.
Affected Versions
Cisco ISE 3.2 (3.2P7 - Sep 2024)
Cisco ISE 3.3 (3.3P4 - Oct 2024)
Exploit Availability
While a proof-of-concept (PoC) exploit code is available for CVE-2024-20469, Cisco is not aware of any malicious exploitation of this vulnerability. The company urges users to apply the necessary updates to mitigate potential risks.
Cisco's prompt action in addressing these critical vulnerabilities highlights the importance of regular security updates and internal testing. Users are strongly encouraged to update their systems to the latest versions to ensure protection against potential exploits.
In today's digital age, protecting your business from cyber threats is more important than ever. BetterWorld Technology's cybersecurity experts are dedicated to safeguarding your data and infrastructure with comprehensive, tailored solutions. Whether you need proactive monitoring, threat assessment, or incident response, we have the expertise to keep your business secure. Book a consultation with us now and take the first step toward fortifying your cybersecurity defenses with BetterWorld Technology.
Sources
Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks, The Hacker News.