- Security researchers claim that two Cisco smart license services errors are abusing errors
- One of the errors is a encoded administration account
- Both errors were solved in 2024, so users should now update
Cybercriminals are abusing two vulnerabilities found in Cisco Smart Licensing Utility (CSLU) for unknown purposes.
Johannes Ullrich, dean of research at the Sans Technology Institute, said that the threat actors now chain the two security defects to go to the instances of CSLU exposed to the Internet.
“A quick search showed no active exploitation at that time, but the details, including the rear door credentials, were published in a blog by Nicholas Starke shortly after Cisco launched its notice. Therefore, it is not surprising that we are seeing some exploitation activity,” Ullrich said.
No solution
CSLU is a tool that helps organizations to administer and inform the use of Cisco software licenses in a more flexible and automated way.
It allows the devices to connect to the Cisco smart license system, either directly or through a local satellite server, register and track rights without requiring constant Internet access.
In September 2024, Cisco announced the CVE-2024-20439 patch, “undocumented static user credential for an administrative account”, which is an elegant way to say that someone left the administration credentials encoded in the back-end.
Vulnerability allowed threat actors to log in in vulnerable systems remotely, on the API or CSLU application.
At the same time, Cisco went to CVE-2024-20440, a vulnerability of information dissemination that the threat of the actors used to access registration files with confidential information such as API credentials.
Abusing these defects is not those simple and bleepingcomter notes, since it requires that the victim execute the CSLU application in the background, which is not its default configuration.
In any case, both vulnerabilities were paveled, and there are no solutions, so the only way to ensure their instances is to apply the patch.
In the failure security notice, Cisco said that “he was not aware” of any public announcement or malicious use, which means that pages have not yet been updated.
Through Bleepingcomputer
