Cisco Smart Licensing Utility flaws under attack

Cisco Smart Licensing Utility flaws under attack

Dive Brief:

  • Johannes Ullrich of the SANS Internet Storm Center reported exploitation attempts this week against two critical Cisco vulnerabilities that were initially disclosed in September. CVE-2024-20439 is a static credential vulnerability in the Cisco Smart Licensing Utility, and CVE-2024-20440 is an information disclosure flaw in the utility.
  • It’s unclear if the exploitation was successful, but Ullrich noted the static credential for CVE-2024-20439 was previously published by a security researcher and could be used to remotely access affected devices.
  • Ullrich told Cybersecurity Dive the exploitation attempts likely originate from a smaller botnet, with activity spiking over the last week.

Dive Insight:

The two CVEs affect a wide range of Cisco products, though the networking giant noted in its advisory that the vulnerabilities cannot be exploited unless the Cisco Smart Licensing Utility was started by a user and is actively running.

In his SANS Internet Storm Center post, Ullrich referred to CVE-2024-20439, the static credential vulnerability, as a “backdoor” and warned that it offers easy access to vulnerable Cisco devices.

“These two vulnerabilities are somewhat connected. The first one is one of the many backdoors Cisco likes to equip its products with. A simple fixed password that can be used to obtain access,” he wrote. “The second one is a log file that logs more than it should. Using the first vulnerability, an attacker may access the log file.”

Ullrich noted that security researcher Nicholas Starke published a blog post with technical details about the two CVEs in September, including the static credential to exploit CVE-2024-20439. As a result, Ullrich said it’s “no surprise” to see exploitation attempts.

The activity stems for a botnet that’s also engaged in other attacks and scanning, Ullrich told Cybersecurity Dive. Internet Storm Center sensors detected around 10 bots in recent days, but he said there are likely more than what the sensors picked up.

“In addition to the Cisco vulnerabilities, this botnet also scans for exposed secrets. For example backup files like /backup.gz that are sometimes left behind by careless administrators,” he told Cybersecurity Dive. “The bots that are part of this botnet have been scanning for a variety of vulnerabilities for a few weeks now.”

Cybersecurity Dive contacted Cisco for comment regarding the reported exploitation attempts.


Source link