Cisco reports critical flaws in Smart Licensing Utility
Take action: It's terrifying that in 2024 a piece of software has hardcoded admin credentials. Never ever hardcode or default credentials - it's going to be the worst kept secret of your product in no time. Specifically for Smart Licensing Utility, either stop using it, or just upgrade. Hoping that you won't get hacked because of intermittent use does not help. Someone else is deciding not to fix something else because they think you have patched the software you are running.
Learn More
Cisco has disclosed two critical vulnerabilities affecting its Smart Licensing Utility (CSLU) software that could allow unauthenticated, remote attackers to gain administrative access or access sensitive information on vulnerable systems.
-
CVE-2024-20439 (CVSS score 9.8) - Static Credential Vulnerability due to an undocumented static user credential for an administrative account within the Cisco Smart Licensing Utility. This flaw allows unauthenticated attackers to remotely log into unpatched systems with administrative privileges via the CSLU application's API. Successful exploitation could enable an attacker to gain full administrative access to the affected system, allowing unauthorized modifications, data theft, or disruption of services.
-
CVE-2024-20440 (CVSS score 9.8) - Information Disclosure Vulnerability caused by excessive verbosity in a debug log file of the Cisco Smart Licensing Utility. This flaw allows unauthenticated attackers to obtain sensitive information, including API credentials, by sending a specially crafted HTTP request to an affected device. Exploitation of this vulnerability could allow attackers to access sensitive log files containing confidential data, potentially enabling further attacks or unauthorized access to the system.
The vulnerabilities impact all systems running the Cisco Smart Licensing Utility versions 2.0.0, 2.1.0, and 2.2.0. The version 2.3.0 is not vulnerable. Cisco recommends migrating to a fixed release to mitigate these vulnerabilities.
The Cisco Product Security Incident Response Team (PSIRT) has not found any evidence of active exploitation or public exploit code for these vulnerabilities.
Cisco urges users of the affected versions to immediately update to a fixed release to protect against potential exploitation. Customers without service contracts should contact the Cisco Technical Assistance Center (TAC) to obtain the necessary updates.
