Cisco has warned customers of critical vulnerabilities in its Smart Licensing Utility product, urging them to apply software updates to protect against attacks.
The two vulnerabilities, which are not dependent on one another, could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running. They each have a CVSS score of 9.8, giving them a critical rating.
There are no workarounds that address these vulnerabilities, meaning customers must apply new software updates provided by Cisco to prevent exploitation.
The vulnerabilities affect versions 2.0.0, 2.1.0 and 2.2.0 of the Cisco Smart Licensing Utility.
Cisco said it is not aware of any malicious exploitation of these vulnerabilities as of September 4, 2024.
The Cisco Smart License Utility Manager is a Windows-based application that enables customers to administer licenses and their associated Product Instances from their premises.
How the Vulnerabilities Can be Exploited
The first vulnerability highlighted, CVE-2024-20439, can allow a remote attacker to use a static administrative credential to log in to an affected system.
This flaw is due to an undocumented static user credential for an administrative account. A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the application programming interface (API) of the Cisco Smart Licensing Utility application.
The second listed vulnerability, CVE-2024-20440, may enable an unauthenticated attacker to access sensitive information by sending a crafted HTTP request to an affected device.
This is due to excessive verbosity in a debug log file. A successful exploit could allow the attacker to obtain log files that contain sensitive data, including credentials that can be used to access the API.
Cisco noted that these vulnerabilities are not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running.
Cisco Products Targeted by Nation States
Cisco has highlighted several campaigns by nation-state threat actors that have targeted vulnerabilities in its products so far in 2024.
In April, the firm highlighted a sophisticated cyber espionage campaign dubbed ArcaneDoor by a state-sponsored actor, which exploited two vulnerabilities in Cisco firewall platforms.
Cisco also revealed in July that it had patched a zero-day vulnerability exploited by Chinese state-backed actors to compromise Cisco Nexus switches.
Image credit: CryptoFx / Shutterstock.com