[Source – adoptrightwhales.ca]
Cisco has rolled out critical security updates addressing two significant vulnerabilities in its Cisco’s Smart Licensing Utility which could potentially allow unauthorized remote attackers to escalate privileges or gain access to sensitive data. These vulnerabilities, identified during internal security testing, are assigned the highest severity level, with a CVSS score of 9.8. In addition, Cisco has also patched a medium-severity command injection flaw in its Identity Services Engine (ISE), which could let attackers execute arbitrary commands.
Critical Vulnerabilities in Cisco’s Smart Licensing Utility
Cisco’s advisory highlights two major vulnerabilities affecting its Smart Licensing Utility. The first flaw, labeled CVE-2024-20439, stems from an undocumented static user credential in an administrative account. If exploited, attackers could use these credentials to log into affected systems without needing authentication. The second vulnerability, CVE-2024-20440, is related to the system’s verbose debug log files. Attackers can craft HTTP requests to access these logs and potentially retrieve credentials that could give them API access.
Although these vulnerabilities operate independently, Cisco noted that neither can be exploited unless the Cisco’s Smart Licensing Utility started by a user and is actively running. Cisco also confirmed that these flaws do not impact its Smart Software Manager On-Prem or Smart Software Manager Satellite products. Affected users are urged to update their systems, as the flaws are present in versions 2.0.0, 2.1.0, and 2.2.0 of the Smart Licensing Utility. Users running version 2.3.0 are not vulnerable to the identified risks.
Command Injection Flaw in Cisco Identity Services Engine
In addition to Cisco’s Smart Licensing Utility vulnerabilities, Cisco addressed another flaw, CVE-2024-20469, affecting its Identity Services Engine (ISE). This vulnerability has a CVSS score of 6.0 and requires the attacker to have valid administrator credentials. If successfully exploited, the flaw allows attackers to execute arbitrary commands on the operating system and elevate their privileges to the root level.
The flaw, caused by insufficient validation of user-supplied input, exists in specific versions of Cisco ISE, including versions 3.2 (3.2P7, released in September 2024) and 3.3 (3.3P4, released in October 2024). Although a proof-of-concept (PoC) exploit for this vulnerability is available, Cisco has stated that it is not aware of any active malicious use of the flaw.
Conclusion
Cisco’s timely security updates highlight the importance of regularly updating software to mitigate potential risks. Users of the affected versions of Cisco’s Smart Licensing Utility and Identity Services Engine are strongly advised to apply the patches to secure their systems against possible exploits. While the vulnerabilities have not yet been exploited in real-world attacks, the availability of PoC code raises concerns, making prompt action critical to safeguarding network infrastructures.
Also Read: CyberPro Magazine
