Cisco's Smart Licensing Utility flaws suggest it's pretty dumb on security

If you're running Cisco's supposedly Smart Licensing Utility, there are two flaws you ought to patch right now.

"Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running," the networking giant warned about two critical issues.

"Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities."

The two independent flaws could allow a remote attacker to sign themselves in with admin privileges and subvert the whole system. That's bad if untrusted people or rogue users can reach the licensing service. If you have other defenses in front of the Cisco software, that'll mitigate the risk.

The vulnerabilities are:

• CVE-2024-20439 - The flaw allows "an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential," Cisco said. There's full admin access to be had for a cunning attacker.
• CVE-2024-20440 - Cisco blames "excessive verbosity in a debug log file" for this bug, which allows a carefully designed HTTP request to "obtain log files that contain sensitive data, including credentials that can be used to access the API." In other words, game over, man (NSFW language.)

Both flaws have a CVSS rating of 9.8 out of 10 in severity and have no workaround. That said, a Cisco spokesperson told The Register today: "These vulnerabilities are not exploitable unless the Cisco Smart Licensing Utility was started by a user and is actively running."

The vendor's Product Security Incident Response Team (PSIRT) "is not aware of any malicious use of these vulnerabilities, and fixed software is available," the spokesperson added.

• Maximum-severity Cisco vulnerability allows attackers to change admin passwords
• No rest for the wiry as Cisco Nexus switches flip out over latest zero-day
• You had a year to patch this Veeam flaw – and now it's going to hurt some more
• Microsoft squashes SmartScreen security bypass bug exploited in the wild

The issues were found internally by network security engineer Eric Vance, so hopefully, online crims haven't got around to exploiting them. But now that they are public, scumbags will pile in if they can find a vulnerable instance to attack, so patch now.

Also, as always, check your support license. "Customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner," it warns as a matter of course.

"In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades." ®