Cisco has released security updates for two critical security vulnerabilities affecting the Smart Licensing Utility that could allow unauthenticated remote attackers to elevate their privileges or gain access to sensitive information.
A brief description of the two vulnerabilities is given below −
- CVE-2024-20439 (CVSS Score: 9.8) – Undocumented static user credentials for the administrator account that an attacker could use to log into a compromised system
- CVE-2024-20440 (CVSS Score: 9.8) – An excessively verbose debug log file vulnerability could be used by an attacker to access such files via a crafted HTTP request and obtain exploitable credentials to access the API
Although these disadvantages are not dependent on each other to be successful, Cisco notes in its recommendation that they “cannot be used unless the Cisco Smart Licensing Utility has been started by the user and is actively running.”
The vulnerabilities discovered during internal security testing also do not affect the Smart Software Manager On-Prem and Smart Software Manager Satellite products.
Users of Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are recommended to upgrade to the fixed version. Version 2.3.0 of the software is not susceptible to errors.
Cisco also released updates to address a command injection vulnerability in the Identity Services Engine (ISE) that could allow an authenticated local attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.
The vulnerability, tracked as CVE-2024-20469 (CVSS score: 6.0), requires an attacker to have valid administrative privileges on the affected device.
“This vulnerability is due to insufficient validation of user input,” the company said in a statement. said. “An attacker could exploit this vulnerability by issuing a crafted CLI command. A successful exploit could allow an attacker to elevate privileges to root.”
This affects the following versions –
- Cisco ISE 3.2 (3.2P7 – September 2024)
- Cisco ISE 3.3 (3.3P4 – October 2024)
The company also warned that proof-of-concept (PoC) exploit code is available, although it is not aware of any malicious exploitation of the bug.
