Organizations running Cisco’s Smart Licensing Utility (CSLU) should update their software as soon as possible to fix two serious vulnerabilities, the SANS Technology Institute has urged.
The CSLU is a tool used primarily in smaller, on-premises and air-gapped networks as a way to manage Cisco licenses without having to resort to the more complex cloud-based Cisco Smart Licensing.
According to a March 19 warning by Dean of Research Johannes Ullrich, SANS has detected “some exploit activity” aimed at the flaws, first made public by Cisco last September.
This shouldn’t be a surprise; only weeks after that advisory, Aruba threat researcher Nicholas Starke reverse engineered the first of the flaws, an undocumented backdoor accessible using a weak hardcoded password. SANS detected that password being deployed in recent calls through the API, Ullrich said.
It won’t have helped matters that Cisco’s advisory, unavoidably, told everyone what to look for: “This vulnerability is due to an undocumented static user credential for an administrative account,” it read.
For hackers (and researchers), this would be too tempting to pass over. Finding and exploiting backdoors is almost a sport in some quarters. Normally, advisories are written to keep descriptions as generic and lacking in detail as possible, but unfortunately, this was one example where this was never likely to be easy.
Backdoor secrecy
The hardcoded password flaw, identified as CVE-2024-20439, could be exploited to achieve administrator privileges via the app’s API. The second flaw, CVE-2024-20440, could allow an attacker to obtain log files containing sensitive data such as API credentials.
With both given an identical CVSS score of 9.8, it’s a toss-up as to which is the worst of the two. However, the vulnerabilities could clearly be used together in ways that amplify their danger, making patching even more imperative. The affected versions of CSLU are 2.0.0, 2.1.0, and 2.2.0; version 2.3.0 is the patched version.
CSLU is a recent product, so one might have expected it to be better secured. That said, Cisco has a history of this type of flaw, with hardcoded credentials being discovered in Cisco Firepower Threat Defense, Emergency Responder, and further back in Digital Network Architecture (DNA) Center, to name only some of the affected products.
As Ullrich of the SANS wrote rather sarcastically in the organization’s new warning: “The first one [CVE-2024-20439] is one of the many backdoors Cisco likes to equip its products with.”
Source:: Network World