Cisco has recently addressed critical vulnerabilities in its Smart Licensing Utility, including CVE-2024-20439, CVE-2024-20440 [1] [2] [3] [4] [6] [7], and CVE-2024-20469 [1] [3] [4] [6] [7].

Description

Cisco released patches on September 4, 2024, to fix vulnerabilities in its Smart Licensing Utility [3] [6]. CVE-2024-20439 allowed remote attackers to gain unauthorized access as an administrator through a static user credential. CVE-2024-20440 enabled attackers to exploit an overly verbose debug log file to obtain sensitive credentials. Additionally, a command injection vulnerability in Cisco’s Identity Services Engine (ISE) under CVE-2024-20469 could allow authenticated local attackers to run arbitrary commands and potentially escalate privileges to root. These vulnerabilities affected versions 2.0.0, 2.1.0, and 2.2.0 of the software [5], each with a CVSS score of 9.8 [3]. Users are advised to update to version 2.3.0 [3] [4], which includes patches for these vulnerabilities [3]. Cisco has released software updates to address these issues and urges customers to apply them promptly to prevent exploitation. As of September 4, 2024 [6], there have been no reported instances of malicious exploitation of these vulnerabilities. Cisco has also patched a second vulnerability in its Smart Licensing Utility, identified as CVE-2024-20440 [3] [4], which allows attackers to log into compromised systems using an undocumented static user credential [4]. Additionally, a command injection vulnerability (CVE-2024-20469) in Cisco’s Identity Services Engine (ISE) has been addressed, which could allow authenticated local attackers to execute arbitrary commands and elevate privileges to root [1] [4]. Users of Smart License Utility versions 2.0.0, 2.1.0 [4], and 2.2.0 are advised to upgrade to version 2.3.0 [4], while Cisco ISE versions 3.2 and 3.3 are affected [4], with patch releases available [4].

Conclusion

It is crucial for users to update to version 2.3.0 to mitigate the risks posed by these vulnerabilities. Cisco’s prompt response in releasing patches demonstrates its commitment to cybersecurity. Users should remain vigilant and apply updates promptly to protect their systems from potential exploitation.

References

[1] https://vulners.com/thn/THN:B72A9AA2A0EE9FF55BBF11C152FC5081
[2] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
[3] https://cybermaterial.com/cisco-patches-critical-bug-in-licensing-tool/
[4] https://observenow.com/2024/09/cisco-issues-critical-security-updates-for-smart-licensing-utility-and-identity-services-engine/
[5] https://www.infosecurity-magazine.com/news/cisco-critical-vulnerabilities/
[6] https://arcticwolf.com/resources/blog/cve-2024-20439-cve-2024-20440-critical-cisco-smart-licensing-utility-vulnerabilities/
[7] https://thehackernews.com/2024/09/cisco-fixes-two-critical-flaws-in-smart.html