Cisco patches critical flaws in Smart Licensing Utility and Identity Services Engine

News
By
published

Three bugs allowed crooks to take over devices, steal files, and more.

cisco logo
(Image credit: Shutterstock / Ken Wolter)

Earlier this week, Cisco introduced new patches that fix bugs in different products, which allowed threat actors to log in to, or take over, vulnerable devices.

First, it addressed an OS command injection vulnerability, caused by insufficient validation of user-supplied input, found in Cisco’s Identity Service Engine (ISE). This one is tracked as CVE-2024-20469, and carries a severity score of 6.0. Cisco's ISE is a network access control and policy management platform that enables organizations to enforce security policies across their network.

In theory, a local attacker could submit a malicious CLI command and escalate privileges on vulnerable systems to root, but they need to have admin rights on the unpatched system to begin with.

Bugs in SLU

"A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root," Cisco said in an advisory, adding that it is aware of proof-of-concept code circulating online. So far, there is no evidence of successful abuse, though.

Versions 3.2 and 3.3 are affected, and to secure their premises, admins should upgrade to 3.2P7 and 3.3P4, respectively.

The second flaw that was recently addressed is a backdoor account that was found in Cisco’s Smart Licensing Utility Windows (SLU) software. SLU is a tool that helps manage and activate software licenses for Cisco products using the Smart Licensing system. The bug, described as an “undocumented static user credential for an administrative account,” is tracked as CVE-2024-20439, and carries a severity score of 9.8.

The third flaw, tracked as CVE-2024-20440, is due to excessive verbosity in a debug log file. As a result, crooks could access sensitive information, remotely. This one, too, has a 9.8 severity score.

SLU versions 2.0.0, 2.1.0, and 2.2.0, were said to be vulnerable. The first fixed version is 2.3.0.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.