"Cisco Patches Critical Vulnerabilities in Smart Licensing Utility"

Cisco recently announced patches for multiple vulnerabilities, including two critical-severity flaws in Smart Licensing Utility and a medium-severity Identity Services Engine flaw for which proof-of-concept (PoC) code exists.  According to Cisco, the Smart Licensing Utility bugs, tracked as CVE-2024-20439 and CVE-2024-20440 (CVSS score of 9.8), could allow remote, unauthenticated attackers to access sensitive information or log in as administrators.  CVE-2024-20439, Cisco notes, exists because an undocumented, static user credential for an administrative account is present in the Smart Licensing Utility.  CVE-2024-20440 is caused by excessive verbosity in a debug log file, which could allow an attacker to send a crafted HTTP request and obtain log files containing sensitive data, including credentials.  Cisco recommends migrating to Smart License Utility version 2.3.0, which is not vulnerable.  The Identity Services Engine (ISE) vulnerability, tracked as CVE-2024-20469, is a medium-severity issue in specific CLI commands that could allow authenticated attackers to inject commands on the underlying operating system and elevate privileges to root.  Cisco says that the patches for the bug will be included in ISE version 3.2P7 (which rolls out this month) and in version 3.3P4 (expected to be released in October) and warns that PoC code targeting the vulnerability is available.  Cisco says it is unaware of these vulnerabilities being exploited in the wild. 

SecurityWeek reports: "Cisco Patches Critical Vulnerabilities in Smart Licensing Utility"