Article Details
Scrape Timestamp (UTC): 2024-09-04 17:00:25.401
Original Article Text
Click to Toggle View
Cisco warns of backdoor admin account in Smart Licensing Utility. Cisco has removed a backdoor account in the Cisco Smart Licensing Utility (CSLU) that can be used to log into unpatched systems with administrative privileges. CSLU is a Windows application that helps manage licenses and linked products on-premise without connecting them to Cisco's cloud-based Smart Software Manager solution. The company says this critical vulnerability (CVE-2024-20439) allows unauthenticated attackers to log into unpatched systems remotely using an "undocumented static user credential for an administrative account." "A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application," it explained. Cisco also released security updates for a critical CLSU information disclosure vulnerability (CVE-2024-20440) that unauthenticated threat actors can exploit to access log files containing sensitive data (including API credentials) by sending crafted HTTP requests to affected devices. The two security vulnerabilities only impact systems running a vulnerable Cisco Smart Licensing Utility release, regardless of their software configuration. The security flaws are only exploitable if a user starts the Cisco Smart Licensing Utility, which is not designed to run in the background. The Cisco Product Security Incident Response Team (PSIRT) says it has yet to find public exploits or evidence of threat actors exploiting the security flaws in attacks. This isn't the first backdoor account Cisco has removed from its products in recent years. Previous undocumented hardcoded credentials were found in the company's Digital Network Architecture (DNA) Center, IOS XE, and Wide Area Application Services (WAAS) software. Last month, Cisco also patched a maximum severity vulnerability (CVE-2024-20419) that enables attackers to change any user password on unpatched Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers. Three weeks later, the company said that exploit code had been published online and warned admins to patch their SSM On-Prem servers to block potential attacks. In July, Cisco fixed an NX-OS zero-day (CVE-2024-20399) that had been exploited since April to install previously unknown malware as root on vulnerable MDS and Nexus switches. Cisco also warned in April that state-backed hackers (tracked as UAT4356 and STORM-1849) exploited two other zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide
Daily Brief Summary
Cisco has eliminated a critical vulnerability in its Smart Licensing Utility by removing a backdoor account, which allowed unauthorized administrative access.
The security flaw, identified as CVE-2024-20439, enabled unauthenticated attackers to log into systems remotely via an undocumented static user credential.
Cisco also addressed another critical vulnerability (CVE-2024-20440) that could let attackers access sensitive data from log files through specially crafted HTTP requests.
The mentioned vulnerabilities mainly affect systems with specific vulnerable releases of the Cisco Smart Licensing Utility, which must be running to be exploitable.
Cisco’s updates come after detecting multiple vulnerabilities across their products in recent years, including previously identified hardcoded credentials in other Cisco software.
There has been no sign yet of public exploits or evidence of these vulnerabilities being actively exploited, according to Cisco’s PSIRT.
Cisco has previously issued patches for other significant vulnerabilities, including those exploited by state-sponsored groups and other severe security lapses in its network equipment.