Cisco has launched safety updates for 2 crucial safety flaws impacting its Sensible Licensing Utility that might enable unauthenticated, distant attackers to raise their privileges or entry delicate info.
A quick description of the 2 vulnerabilities is under –
- CVE-2024-20439 (CVSS rating: 9.8) – The presence of an undocumented static person credential for an administrative account that an attacker may exploit to log in to an affected system
- CVE-2024-20440 (CVSS rating: 9.8) – A vulnerability arising because of an excessively verbose debug log file that an attacker may exploit to entry such information by way of a crafted HTTP request and procure credentials that can be utilized to entry the API
Whereas these shortcomings usually are not depending on one another for them to achieve success, Cisco notes in its advisory that they “are not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running.”
The issues, which have been found throughout inside safety testing, additionally don’t have an effect on Sensible Software program Supervisor On-Prem and Sensible Software program Supervisor Satellite tv for pc merchandise.
Customers of Cisco Sensible License Utility variations 2.0.0, 2.1.0, and a couple of.2.0 are suggested to replace to a hard and fast launch. Model 2.3.0 of the software program shouldn’t be inclined to the bug.
Cisco has additionally launched updates to resolve a command injection vulnerability in its Id Providers Engine (ISE) that might allow an authenticated, native attacker to run arbitrary instructions on an underlying working system and elevate privileges to root.
The flaw, tracked as CVE-2024-20469 (CVSS rating: 6.0), requires an attacker to have legitimate administrator privileges on an affected system.
“This vulnerability is due to insufficient validation of user-supplied input,” the corporate mentioned. “An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.”
It impacts the next variations –
- Cisco ISE 3.2 (3.2P7 – Sep 2024)
- Cisco ISE 3.3 (3.3P4 – Oct 2024)
The corporate has additionally warned {that a} proof-of-concept (PoC) exploit code is offered, though it isn’t conscious of any malicious exploitation of the bug.
