Cisco Addresses Two Critical Vulnerabilities in Smart Licensing Software to Counteract Remote Attacks

Sep 05, 2024Ravie Lakshmanan

Cisco has rolled out security patches for two crucial security vulnerabilities affecting its Smart Licensing Software that could empower unauthorized, remote hackers to escalate their privileges or retrieve confidenti

Sep 05, 2024Ravie Lakshmanan

Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks

Below is a succinct overview of the two security vulnerabilities –

CVE-2024-20439 (CVSS score: 9.8) – the presence of an unacknowledged static user credential for an administrative account that could be leveraged by a malicious actor to access an impacted system

CVE-2024-20440 (CVSS score: 9.8) – a vulnerability originating from an overly detailed debug log file that an attacker might exploit to reach those files through a carefully crafted HTTP request and acquire credentials that could be utilized for accessing the API

While these deficiencies do not rely on each other for successful exploitation, Cisco mentions in its advisory that they “are not exploitable unless Cisco Smart Licensing Utility was initiated by a user and is actively functioning.”

The identified vulnerabilities, uncovered during internal security examinations, also do not impact Smart Software Manager On-Prem and Smart Software Manager Satellite products.

Users of Cisco Smart License Software versions 2.0.0, 2.1.0, and 2.2.0 are urged to transition to an updated version. Version 2.3.0 of the software is immune to the flaw.

Cisco has additionally issued updates to address a command injection vulnerability in its Identity Services Engine (ISE), which could facilitate an authenticated, local attacker to execute arbitrary commands on an underlying operating system and elevate privileges to the root level.

The vulnerability, identified as CVE-2024-20469 (CVSS score: 6.0), necessitates an attacker to possess valid administrator privileges on a vulnerable device.

“This vulnerability stems from inadequate validation of user-provided input,” the company stated. “An attacker could potentially exploit this vulnerability by submitting a carefully constructed CLI command. A successful exploitation could enable the attacker to elevate privileges to root.”

It affects the following versions –

Cisco ISE 3.2 (3.2P7 – Sep 2024)
Cisco ISE 3.3 (3.3P4 – Oct 2024)

The company has also cautioned that a proof-of-concept (PoC) exploit code is accessible, although it has not observed any malicious exploitation of the vulnerability.

Found this article captivating? Follow us on Twitter and LinkedIn to discover more exclusive content we share.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts