Cisco releases patches for two critical flaws in Smart Licensing Utility
Take action: If you are using Cisco Smart Licensing Utility, plan to patch ASAP. While the flaws can only be exploited while CSLU is running, the severity and ease of exploit enable anyone - even mildly disgruntled employee to do harm - and those will have a lot of time to catch CSLU running. Don't skip this patch.
Learn More
Cisco has released patches for two critical vulnerabilities affecting the Cisco Smart Licensing Utility. These vulnerabilities allow privilege escalation or unauthorized access to sensitive information.
Details of Vulnerabilities:
- CVE-2024-20439 (CVSS score 9.8) – Undocumented Static Credential Vulnerability - This vulnerability is due to the existence of a static, undocumented administrative credential in the Cisco Smart Licensing Utility. If exploited, it allows an unauthenticated, remote attacker to log in with administrative privileges over the API, gaining full control over the system.
- CVE-2024-20440 (CVSS score 9.8) – Information Disclosure Vulnerability - This vulnerability arises from the excessive verbosity in a debug log file, which could expose sensitive information. A remote attacker can craft an HTTP request to access these log files, potentially retrieving credentials to the API.
Affected versions: Cisco Smart Licensing Utility versions 2.0.0, 2.1.0, and 2.2.0.
Not impacted: Version 2.3.0 and later.
Both vulnerabilities were identified during Cisco’s internal security testing and are only exploitable when the Cisco Smart Licensing Utility is actively running.
Cisco advises all users running vulnerable versions to promptly update to version 2.3.0 or later. No workarounds are available for these vulnerabilities, so immediate updates are necessary.
