The Shield53 Threat Intelligence Team is issuing this bulletin to inform you of two critical vulnerabilities impacting Cisco Smart Licensing Utility (CSLU). If your organization uses Cisco Smart Licensing Utility, immediate review of this bulletin and prompt action is advised to mitigate the risks.
Summary
On September 4, 2024, Cisco announced security updates for two critical vulnerabilities in the Cisco Smart Licensing Utility, a tool widely used for managing licenses across various Cisco products. These vulnerabilities are exploitable only if the Smart Licensing Utility is actively running.
-
CVE-2024-20439 (Static Credential Vulnerability): This flaw allows unauthenticated, remote attackers to gain administrative access by leveraging an undocumented static credential. Attackers can use this static credential to gain full administrative privileges via the API.
-
CVE-2024-20440 (Information Disclosure Vulnerability): This issue permits unauthenticated attackers to access sensitive data due to excessively detailed logging in a debug file. By sending a crafted HTTP request to the affected device, attackers can retrieve log files containing sensitive information, such as API credentials.
Note: These vulnerabilities do not affect Cisco Smart Software Manager On-Prem or Satellite.
Shield53 has not observed any active exploitation of these vulnerabilities in the wild, nor has publicly available proof-of-concept (PoC) code surfaced yet. However, considering Cisco’s historical targeting by threat actors, these vulnerabilities may soon become attractive to attackers due to the potential for easy access and exploitation.
Additional Cisco Vulnerability Fix
In addition to these CSLU vulnerabilities, Cisco also addressed CVE-2024-20469 in Cisco Identity Services Engine (ISE). This vulnerability enables an authenticated local user with administrator privileges to perform command injection attacks, potentially granting root access to the system’s underlying OS. While CVE-2024-20469 is deemed less severe, Cisco has acknowledged the existence of publicly available PoC exploit code.
Shield53 will adhere to its standard process to evaluate the impact of these vulnerabilities in our environment. If found vulnerable, remediation will follow according to our Security Patching Policy.
Recommendation: Immediate Action Required
We strongly recommend that all organizations using Cisco Smart Licensing Utility take immediate action to upgrade to the fixed versions as outlined below:
ProductVulnerabilitiesAffected VersionsPatching GuidanceCisco Smart License UtilityCVE-2024-20439, CVE-2024-204402.0.0Migrate to a fixed release.2.1.0Migrate to a fixed release.2.2.0Migrate to a fixed release.2.3.0Not affected.Cisco Identity Services EngineCVE-2024-204693.1 and earlierNot affected.3.2Upgrade to 3.2P7 (Sep 2024)3.3Upgrade to 3.3P4 (Oct 2024)3.4Not affected.
Please ensure all patching and testing procedures are followed to prevent any operational disruptions.
References:
-
Cisco Security Advisory (CVE-2024-20439 & CVE-2024-20440): Cisco Security Advisory Link
-
Cisco Security Advisory (CVE-2024-20469): Cisco Security Advisory Link
For any further questions or assistance, feel free to reach out to the Shield53 Threat Intelligence Team.