Hackers Exploiting Multiple Cisco Smart Licensing Utility Vulnerability
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Researchers have detected active exploitation attempts targeting two critical vulnerabilities in Cisco’s Smart Licensing Utility that were patched approximately six months ago.
Threat actors leverage these flaws, which could potentially grant unauthorized access to sensitive licensing data and administrative functions.
The attacks target two critical vulnerabilities in Cisco Smart Licensing Utility that were disclosed in early September 2024.
CVE-2024-20439, with a maximum CVSS score of 9.8, functions essentially as a “backdoor,” allowing unauthenticated, remote attackers to access the software using hardcoded credentials.
The second vulnerability, CVE-2024-20440, also rated 9.8, involves “excessive verbosity in a debug log file” that exposes sensitive information, including API credentials.
Security researcher Nicholas Starke from Aruba, a Hewlett Packard Enterprise company, revealed that the vulnerable versions of the Cisco utility (2.0.0 through 2.2.0) contain a static administrative password: Library4C$LU.
This credential is embedded within the application’s API authentication mechanism, providing attackers with administrative privileges if successfully exploited.
Cisco Smart Licensing UtilityVulnerability
According to SANS researchers, attackers are sending specifically crafted HTTP requests to exploit these vulnerabilities.
One identified attack pattern shows threat actors attempting to access the API endpoint at /cslu/v1/scheduler/jobs using the hardcoded credentials. The HTTP request headers contain:
The Base64-encoded string in the Authorization header decodes to cslu-windows-client:Library4C$LU, matching the credentials identified in Starke’s research.
When successful, this grants attackers administrative access to the licensing utility, potentially allowing them to manage associated services or extract sensitive information from vulnerable systems.
The threat actors aren’t limiting their efforts to just Cisco products. The same group is also attempting to exploit other vulnerabilities, including what appears to be CVE-2024-0305, which affects certain DVR systems:
This suggests a broader scanning campaign targeting internet-exposed devices with known vulnerabilities.
Johannes Ullrich, Dean of Research at SANS, noted the irony that “it’s always fun to see how cheap IoT devices and expensive enterprise security software share similar basic vulnerabilities” – both often containing hardcoded credentials that provide backdoor access.
Mitigations
Organizations utilizing Cisco Smart Licensing Utility should immediately update to version 2.3.0, which is not vulnerable to these exploits.
Network administrators should also examine logs for unauthorized access attempts targeting the /cslu/v1 endpoint, particularly those containing the compromised credentials.
Cisco has stated that these vulnerabilities are “not exploitable unless the Cisco Smart Licensing Utility was started by a user and is actively running,” though this provides little comfort given the widespread deployment of the software.
As exploitation attempts continue to increase, prompt patching remains the most effective mitigation against these critical security flaws.
#Cisco #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
Hackers Exploiting Multiple Cisco Smart Licensing Utility Vulnerability
Author: KaaviyaResearchers have detected active exploitation attempts targeting two critical vulnerabilities in Cisco’s Smart Licensing Utility that were patched approximately six months ago.
Threat actors leverage these flaws, which could potentially grant unauthorized access to sensitive licensing data and administrative functions.
The attacks target two critical vulnerabilities in Cisco Smart Licensing Utility that were disclosed in early September 2024.
CVE-2024-20439, with a maximum CVSS score of 9.8, functions essentially as a “backdoor,” allowing unauthenticated, remote attackers to access the software using hardcoded credentials.
The second vulnerability, CVE-2024-20440, also rated 9.8, involves “excessive verbosity in a debug log file” that exposes sensitive information, including API credentials.
Security researcher Nicholas Starke from Aruba, a Hewlett Packard Enterprise company, revealed that the vulnerable versions of the Cisco utility (2.0.0 through 2.2.0) contain a static administrative password: Library4C$LU.
This credential is embedded within the application’s API authentication mechanism, providing attackers with administrative privileges if successfully exploited.
Cisco Smart Licensing UtilityVulnerability
According to SANS researchers, attackers are sending specifically crafted HTTP requests to exploit these vulnerabilities.
One identified attack pattern shows threat actors attempting to access the API endpoint at /cslu/v1/scheduler/jobs using the hardcoded credentials. The HTTP request headers contain:
The Base64-encoded string in the Authorization header decodes to cslu-windows-client:Library4C$LU, matching the credentials identified in Starke’s research.
When successful, this grants attackers administrative access to the licensing utility, potentially allowing them to manage associated services or extract sensitive information from vulnerable systems.
The threat actors aren’t limiting their efforts to just Cisco products. The same group is also attempting to exploit other vulnerabilities, including what appears to be CVE-2024-0305, which affects certain DVR systems:
This suggests a broader scanning campaign targeting internet-exposed devices with known vulnerabilities.
Johannes Ullrich, Dean of Research at SANS, noted the irony that “it’s always fun to see how cheap IoT devices and expensive enterprise security software share similar basic vulnerabilities” – both often containing hardcoded credentials that provide backdoor access.
Mitigations
Organizations utilizing Cisco Smart Licensing Utility should immediately update to version 2.3.0, which is not vulnerable to these exploits.
Network administrators should also examine logs for unauthorized access attempts targeting the /cslu/v1 endpoint, particularly those containing the compromised credentials.
Cisco has stated that these vulnerabilities are “not exploitable unless the Cisco Smart Licensing Utility was started by a user and is actively running,” though this provides little comfort given the widespread deployment of the software.
As exploitation attempts continue to increase, prompt patching remains the most effective mitigation against these critical security flaws.
#Cisco #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
