Lucene search

K
thnThe Hacker NewsTHN:B72A9AA2A0EE9FF55BBF11C152FC5081
HistorySep 05, 2024 - 4:40 a.m.

Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks

2024-09-0504:40:00
The Hacker News
thehackernews.com
13
cisco
security updates
smart licensing utility
identity services engine
remote attacks
local attacker
privilege elevation
vulnerability
cve-2024-20439
cve-2024-20440
cve-2024-20469

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

Low

EPSS

0.147

Percentile

95.9%

Cisco has released security updates for two critical security flaws impacting its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information.

A brief description of the two vulnerabilities is below -

  • CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system
  • CVE-2024-20440 (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API

While these shortcomings are not dependent on each other for them to be successful, Cisco notes in its advisory that they “are not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running.”

Cybersecurity

The flaws, which were discovered during internal security testing, also do not affect Smart Software Manager On-Prem and Smart Software Manager Satellite products.

Users of Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are advised to update to a fixed release. Version 2.3.0 of the software is not susceptible to the bug.

Cisco has also released updates to resolve a command injection vulnerability in its Identity Services Engine (ISE) that could permit an authenticated, local attacker to run arbitrary commands on an underlying operating system and elevate privileges to root.

The flaw, tracked as CVE-2024-20469 (CVSS score: 6.0), requires an attacker to have valid administrator privileges on an affected device.

“This vulnerability is due to insufficient validation of user-supplied input,” the company said. “An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.”

It impacts the following versions -

  • Cisco ISE 3.2 (3.2P7 - Sep 2024)
  • Cisco ISE 3.3 (3.3P4 - Oct 2024)

The company has also warned that a proof-of-concept (PoC) exploit code is available, although it’s not aware of any malicious exploitation of the bug.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

Low

EPSS

0.147

Percentile

95.9%

Related for THN:B72A9AA2A0EE9FF55BBF11C152FC5081