Cisco has released critical security updates to address two significant vulnerabilities in its Smart Licensing Utility, which could expose systems to unauthenticated, remote attacks. The vulnerabilities, identified as CVE-2024-20439 and CVE-2024-20440, each received a high CVSS score of 9.8. CVE-2024-20439 is due to the presence of an undocumented static user credential that could allow attackers to log in as an administrator. Meanwhile, CVE-2024-20440 arises from an excessively verbose debug log file, which could be exploited via crafted HTTP requests to access sensitive credentials.
Both vulnerabilities are independent of each other and do not pose a risk unless the Cisco Smart Licensing Utility is actively running. Cisco’s advisory highlights that these issues are not present in the Smart Software Manager On-Prem and Smart Software Manager Satellite products. Users of the affected Smart Licensing Utility versions 2.0.0, 2.1.0, and 2.2.0 are urged to update to version 2.3.0, which includes fixes for these vulnerabilities.
In addition to the Smart Licensing Utility flaws, Cisco has addressed a command injection vulnerability in its Identity Services Engine (ISE), tracked as CVE-2024-20469. This flaw, with a CVSS score of 6.0, allows an authenticated local attacker to run arbitrary commands on the operating system and potentially escalate privileges to root. The vulnerability is due to insufficient validation of user-supplied input and affects Cisco ISE versions 3.2 (3.2P7 – Sep 2024) and 3.3 (3.3P4 – Oct 2024).
Cisco has released updates to mitigate the risks associated with these vulnerabilities. Users are advised to apply the necessary patches promptly to ensure their systems remain secure. Although a proof-of-concept exploit code for CVE-2024-20469 is available, Cisco has not yet reported any malicious exploitation of this vulnerability.
Reference:
