Home Security Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks

Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks

by


Sep 05, 2024Ravie Lakshmanan

Cisco has released security updates for two critical security flaws impacting its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information.

A brief description of the two vulnerabilities is below –

  • CVE-2024-20439 (CVSS score: 9.8) – The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system
  • CVE-2024-20440 (CVSS score: 9.8) – A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API

While these shortcomings are not dependent on each other for them to be successful, Cisco notes in its advisory that they “are not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running.”

Cybersecurity

The flaws, which were discovered during internal security testing, also do not affect Smart Software Manager On-Prem and Smart Software Manager Satellite products.

Users of Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are advised to update to a fixed release. Version 2.3.0 of the software is not susceptible to the bug.

Cisco has also released updates to resolve a command injection vulnerability in its Identity Services Engine (ISE) that could permit an authenticated, local attacker to run arbitrary commands on an underlying operating system and elevate privileges to root.

The flaw, tracked as CVE-2024-20469 (CVSS score: 6.0), requires an attacker to have valid administrator privileges on an affected device.

“This vulnerability is due to insufficient validation of user-supplied input,” the company said. “An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.”

It impacts the following versions –

  • Cisco ISE 3.2 (3.2P7 – Sep 2024)
  • Cisco ISE 3.3 (3.3P4 – Oct 2024)

The company has also warned that a proof-of-concept (PoC) exploit code is available, although it’s not aware of any malicious exploitation of the bug.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex