News: 1725560108

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Cisco's Smart Licensing Utility flaws suggest it's pretty dumb on security

(2024/09/05)


If you're running Cisco's supposedly Smart Licensing Utility, there are two flaws you ought to patch right now.

"Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running," the networking giant [1]warned about two critical issues.

"Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities."

[2]

The two independent flaws could allow a remote attacker to sign themselves in with admin privileges and subvert the whole system. That's bad if untrusted people or rogue users can reach the licensing service. If you have other defenses in front of the Cisco software, that'll mitigate the risk.

[3]

[4]

The vulnerabilities are:

CVE-2024-20439 - The flaw allows "an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential," Cisco said. There's full admin access to be had for a cunning attacker.

CVE-2024-20440 - Cisco blames "excessive verbosity in a debug log file" for this bug, which allows a carefully designed HTTP request to "obtain log files that contain sensitive data, including credentials that can be used to access the API." In other words, [5]game over, man (NSFW language.)

Both flaws have a CVSS rating of 9.8 out of 10 in severity and have no workaround. The networking biz has no further comment on the blunders.

A Cisco spokesperson told The Register , "These vulnerabilities are not exploitable unless the Cisco Smart Licensing Utility was started by a user and is actively running."

The vendor's Product Security Incident Response Team (PSIRT) "is not aware of any malicious use of these vulnerabilities, and fixed software is available," the spokesperson said.

[6]Maximum-severity Cisco vulnerability allows attackers to change admin passwords

[7]No rest for the wiry as Cisco Nexus switches flip out over latest zero-day

[8]You had a year to patch this Veeam flaw – and now it's going to hurt some more

[9]Microsoft squashes SmartScreen security bypass bug exploited in the wild

The issues were found internally by network security engineer Eric Vance, so hopefully, online crims haven't got around to exploiting them. But now that they are public, scumbags will pile in if they can find a vulnerable instance to attack, so patch now.

Also, as always, check your support license. "Customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner," it warns as a matter of course.

[10]

"In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades." ®

Get our [11]Tech Resources



[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZtoqBOsilpP9azlCbOcorgAAAVE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtoqBOsilpP9azlCbOcorgAAAVE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZtoqBOsilpP9azlCbOcorgAAAVE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://www.youtube.com/watch?v=dsx2vdn7gpY

[6] https://www.theregister.com/2024/07/18/maximumseverity_cisco_vulnerability_allows_attackers/

[7] https://www.theregister.com/2024/07/02/cisco_nexus_zero_day/

[8] https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/

[9] https://www.theregister.com/2024/04/10/april_patch_tuesday/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtoqBOsilpP9azlCbOcorgAAAVE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://whitepapers.theregister.com/



What, again?

Anonymous Coward

This isn't the first time some cisco thing turns out to come with hard-coded full-access credentials. One previous occurrence was with their VoIP provisioning suite, maybe?

And of course you need a current-and-paid-up service contract or their broken software remains broken for you. In a better world this would give rise to lawsuits of having sold goods that turn out to be unfit-for-service (as [1]Software Does Not Fail ). As it is, cisco manages to fleece their customers even in failure. I'd boot them off my preferred suppliers list if they were on it.

[1] http://niquette.com/paul/issue/softwr02.htm

You're always thinking you're gonna be the one that makes 'em act different.
-- Woody Allen, "Manhattan"