Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Cisco patches critical flaws in Smart Licensing Utility and Identity Services Engine

Cisco logo.

Earlier this week, Cisco introduced new patches that fix bugs in different products, which allowed threat actors to log in to, or take over, vulnerable devices.

First, it addressed an OS command injection vulnerability, caused by insufficient validation of user-supplied input, found in Cisco’s Identity Service Engine (ISE). This one is tracked as CVE-2024-20469, and carries a severity score of 6.0. Cisco's ISE is a network access control and policy management platform that enables organizations to enforce security policies across their network.

In theory, a local attacker could submit a malicious CLI command and escalate privileges on vulnerable systems to root, but they need to have admin rights on the unpatched system to begin with.

Bugs in SLU

"A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root," Cisco said in an advisory, adding that it is aware of proof-of-concept code circulating online. So far, there is no evidence of successful abuse, though.

Versions 3.2 and 3.3 are affected, and to secure their premises, admins should upgrade to 3.2P7 and 3.3P4, respectively.

The second flaw that was recently addressed is a backdoor account that was found in Cisco’s Smart Licensing Utility Windows (SLU) software. SLU is a tool that helps manage and activate software licenses for Cisco products using the Smart Licensing system. The bug, described as an “undocumented static user credential for an administrative account,” is tracked as CVE-2024-20439, and carries a severity score of 9.8.

The third flaw, tracked as CVE-2024-20440, is due to excessive verbosity in a debug log file. As a result, crooks could access sensitive information, remotely. This one, too, has a 9.8 severity score.

SLU versions 2.0.0, 2.1.0, and 2.2.0, were said to be vulnerable. The first fixed version is 2.3.0.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.