Cisco has issued patches for two critical vulnerabilities found in its Smart Licensing Utility. These flaws, if exploited, could allow unauthenticated remote attackers to escalate privileges or gain access to sensitive information.
Vulnerability Details:
- CVE-2024-20439 (CVSS score: 9.8): This flaw involves the presence of an undocumented static user credential for an administrative account, which attackers could use to log in to affected systems.
- CVE-2024-20440 (CVSS score: 9.8): This vulnerability is due to an overly verbose debug log file, which could allow an attacker to craft an HTTP request to access credentials, which could then be used to exploit the API.
Cisco notes that while these vulnerabilities can be exploited independently, they are only active when the Cisco Smart Licensing Utility is manually started and running. These flaws were identified during internal security testing and do not affect Cisco’s Smart Software Manager On-Prem and Smart Software Manager Satellite products.
ALSO READ
Impacted Versions:
Users running Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 should update to a fixed release. Version 2.3.0 of the software is not impacted by these issues.
In addition to these critical flaws, Cisco also patched a command injection vulnerability in its Identity Services Engine (ISE). Tracked as CVE-2024-20469 (CVSS score: 6.0), this flaw could allow authenticated, local attackers to execute arbitrary commands and elevate privileges to root. This vulnerability affects Cisco ISE 3.2 and 3.3, and a proof-of-concept exploit code has been made available, though there have been no reports of malicious exploitation so far.
Recommendations:
Cisco strongly advises users to update their software to the fixed releases to safeguard their systems from potential exploitation of these vulnerabilities.
About Author
