Cisco has recently disclosed multiple critical vulnerabilities in its Smart Licensing Utility (CSLU), which could allow unauthenticated, remote attackers to gain administrative access or collect sensitive information from affected systems.

These vulnerabilities, identified as CVE-2024-20439 and CVE-2024-20440, are present in several versions of the software and have been rated with a high severity score of 9.8 on the CVSS scale, indicating the potential for significant impact on confidentiality, integrity, and availability of the systems.

The first vulnerability, CVE-2024-20439, is due to an undocumented, static user credential for an administrative account. This flaw allows attackers to log into affected systems with administrative privileges by exploiting these static credentials.

The second vulnerability, CVE-2024-20440, involves excessive verbosity in a debug log file, which can be exploited by sending crafted HTTP requests to obtain sensitive data, including API credentials.

Cisco has confirmed that these vulnerabilities affect systems running vulnerable releases of the Cisco Smart Licensing Utility, regardless of their software configuration.

However, the vulnerabilities are only exploitable when the utility is actively running, which requires user initiation. These issues do not affect Cisco’s Smart Software Manager On-Prem and Smart Software Manager Satellite.

In response, Cisco has released software updates to address these vulnerabilities and advises all users to upgrade to the fixed releases as soon as possible. The affected versions include 2.0.0, 2.1.0, and 2.2.0, with version 2.3.0 confirmed as not vulnerable. There are currently no workarounds available, making the updates crucial for securing systems.

Cisco’s security team discovered the vulnerabilities internally, and there have been no reports of exploiting them in the wild. Cisco emphasizes the importance of regular software updates and encourages users to consult their security advisories for the latest information on vulnerabilities and fixes.

The Cisco Product Security Incident Response Team (PSIRT) has stated that there are no known public announcements or evidence of malicious use of the vulnerabilities in the Cisco Smart Licensing Utility at this time

Organizations using Cisco Smart Licensing Utility must review their current software versions and apply the necessary updates to protect against potential exploits.