Cisco Fixes Two Vital Flaws in Good Licensing Utility to Forestall Distant Assaults

Sep 05, 2024Ravie Lakshmanan

Cisco has launched safety updates for 2 vital safety flaws impacting its Good Licensing Utility that might enable unauthenticated, distant attackers to raise their privileges or entry delicate info.

A quick description of the 2 vulnerabilities is beneath –

• CVE-2024-20439 (CVSS rating: 9.8) – The presence of an undocumented static person credential for an administrative account that an attacker might exploit to log in to an affected system

• CVE-2024-20440 (CVSS rating: 9.8) – A vulnerability arising as a consequence of an excessively verbose debug log file that an attacker might exploit to entry such information by the use of a crafted HTTP request and procure credentials that can be utilized to entry the API

Whereas these shortcomings aren’t depending on one another for them to achieve success, Cisco notes in its advisory that they “aren’t exploitable until Cisco Good Licensing Utility was began by a person and is actively working.”

The issues, which had been found throughout inner safety testing, additionally don’t have an effect on Good Software program Supervisor On-Prem and Good Software program Supervisor Satellite tv for pc merchandise.

Customers of Cisco Good License Utility variations 2.0.0, 2.1.0, and a pair of.2.0 are suggested to replace to a set launch. Model 2.3.0 of the software program is just not prone to the bug.

Cisco has additionally launched updates to resolve a command injection vulnerability in its Id Companies Engine (ISE) that might allow an authenticated, native attacker to run arbitrary instructions on an underlying working system and elevate privileges to root.

The flaw, tracked as CVE-2024-20469 (CVSS rating: 6.0), requires an attacker to have legitimate administrator privileges on an affected system.

“This vulnerability is because of inadequate validation of user-supplied enter,” the corporate said. “An attacker might exploit this vulnerability by submitting a crafted CLI command. A profitable exploit might enable the attacker to raise privileges to root.”

It impacts the next variations –

• Cisco ISE 3.2 (3.2P7 – Sep 2024)
• Cisco ISE 3.3 (3.3P4 – Oct 2024)

The corporate has additionally warned {that a} proof-of-concept (PoC) exploit code is on the market, though it isn’t conscious of any malicious exploitation of the bug.