Cisco has recently issued a warning to its customers regarding critical vulnerabilities in its Smart Licensing Utility product. These vulnerabilities pose a serious threat to system security and can potentially lead to unauthorized access and data breaches. It is essential for customers to take immediate action by applying the necessary software updates provided by Cisco to safeguard their systems.

The Vulnerabilities

The two vulnerabilities identified in the Cisco Smart Licensing Utility are independent of each other and have a CVSS score of 9.8, indicating their critical nature. These vulnerabilities could allow a remote attacker to gain access to sensitive information or take control of Cisco Smart Licensing Utility services on a system.

Customers using versions 2.0.0, 2.1.0, and 2.2.0 of the Cisco Smart Licensing Utility are at risk and must take immediate action to mitigate these vulnerabilities.

Cisco has not received reports of any malicious exploitation of these vulnerabilities as of September 4, 2024, but it is crucial for customers to apply the necessary updates to prevent potential attacks.

The Cisco Smart License Utility Manager is a Windows-based application that allows customers to manage licenses and product instances from their premises.

Exploiting the Vulnerabilities

The first vulnerability, CVE-2024-20439, enables a remote attacker to log in to an affected system using a static administrative credential. This flaw arises from an undocumented static user credential for an administrative account, granting the attacker administrative privileges over the API of the Cisco Smart Licensing Utility application.

The second vulnerability, CVE-2024-20440, allows an unauthenticated attacker to access sensitive information by sending a crafted HTTP request to an affected device. The exploit takes advantage of excessive verbosity in a debug log file, potentially exposing credentials and sensitive data.

Cisco emphasizes that these vulnerabilities are only exploitable when the Cisco Smart Licensing Utility is actively running.

Nation-State Threats

Cisco has been the target of numerous campaigns by nation-state threat actors in 2024. In April, a state-sponsored actor launched a cyber espionage campaign named ArcaneDoor, exploiting vulnerabilities in Cisco firewall platforms. In July, Chinese state-backed actors utilized a zero-day vulnerability to compromise Cisco Nexus switches.

Image credit: CryptoFx / Shutterstock.com