Cisco has warned of multiple critical vulnerabilities in its Smart Licensing Utility, potentially enabling unauthenticated, remote attackers to collect sensitive information or gain administrative control over the software.
The vulnerabilities, identified as CVE-2024-20439 and CVE-2024-20440, can be found in several versions of the software. Both have been rated a critical severity score of 9.8 on the CVSS scale, meaning exploitation of the flaw could result in a full system or data compromise.
The company has released software updates to address these issues but emphasized that there are no workarounds available for the vulnerabilities. It also said that, to date, it has not found public exploits or evidence of malefactors exploiting these flaws.
Impacted Products
The vulnerabilities affect systems running a vulnerable version of Cisco Smart Licensing Utility. These flaws are not dependent on the system’s configuration, and they only pose a risk if the utility is actively running. Cisco’s Smart Software Manager On-Prem and Smart Software Manager Satellite have been confirmed as unaffected by these vulnerabilities.
Vulnerability Details
Cisco has disclosed two primary vulnerabilities:
- CVE-2024-20439: This is a critical static credential vulnerability that could allow a remote actor to log into an affected system using an undocumented administrative account. This flaw carries a CVSS Base Score of 9.8 and is classified as “Critical.”
- CVE-2024-20440: This is an information disclosure vulnerability caused by excessive verbosity in debug log files. Attackers could exploit this flaw to access sensitive information, including credentials, by sending a specially crafted HTTP request to the affected device. This vulnerability also has a CVSS Base Score of 9.8.
Both vulnerabilities are independent of each other, meaning that the exploitation of one does not require the exploitation of the other.
Cisco has stressed that no workarounds are available for these vulnerabilities. Users are strongly encouraged to update their systems with the provided patches to mitigate the risks.
Software Updates and Support
Cisco has made free software updates available to address the vulnerabilities. Customers with active service contracts can access these fixes through their usual update channels. Those without service contracts can contact Cisco’s Technical Assistance Center (TAC) to obtain the necessary updates.
For more detailed information about the vulnerabilities and the required software updates, visit the Cisco Security Advisories page.
Cisco has emphasized the importance of regularly consulting security advisories to ensure systems are protected against potential threats.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.