Cisco Addresses Backdoor Admin Account in Smart Licensing Utility

September 4, 2024

Cisco has recently taken action to remove a backdoor account in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses and related products on-premise, without the need to connect them to Cisco's cloud-based Smart Software Manager solution. This account could have potentially been used by unauthenticated attackers to gain administrative access to unpatched systems. The critical vulnerability, identified as CVE-2024-20439, enabled attackers to remotely log into unpatched systems using an 'undocumented static user credential for an administrative account.' As stated by Cisco, 'A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application.'

In addition to this, Cisco has also issued security updates to address a critical information disclosure vulnerability in CSLU, identified as CVE-2024-20440. This vulnerability could have been exploited by unauthenticated threat actors to access log files containing sensitive data, including API credentials, by sending specially crafted HTTP requests to affected devices. These two security vulnerabilities only affect systems running a vulnerable release of Cisco Smart Licensing Utility, regardless of their software configuration. They can only be exploited if a user initiates the Cisco Smart Licensing Utility, which is not intended to operate in the background.

The Cisco Product Security Incident Response Team (PSIRT) has reported that it has not yet discovered public exploits or evidence of threat actors exploiting these security flaws in attacks. This is not the first instance of Cisco removing a backdoor account from its products. In the past, undisclosed hardcoded credentials were discovered in the company's Digital Network Architecture (DNA) Center, IOS XE, and Wide Area Application Services (WAAS) software.

In a recent development last month, Cisco patched a maximum severity vulnerability (CVE-2024-20419) that could allow attackers to change any user password on unpatched Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers. A mere three weeks later, the company reported that exploit code had been published online and urged administrators to patch their SSM On-Prem servers to prevent potential attacks.

In July, Cisco remedied an NX-OS zero-day (CVE-2024-20399) that had been exploited since April to install previously unknown malware as root on vulnerable MDS and Nexus switches. Cisco also issued a warning in April about state-backed hackers (tracked as UAT4356 and STORM-1849) who exploited two other zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to infiltrate government networks worldwide.

Related News

• Chinese Hackers Leverage Zero-Day Cisco Switch Flaw for System Control
• Critical Cisco Software Vulnerability: Public PoC Exploit Code for CVE-2024-20419 Released
• Critical Vulnerability in Cisco's Security Email Gateway Patched
• Critical Cisco Vulnerability Allows Password Alterations
• Critical Vulnerability in Cisco SSM On-Prem Allows Hackers to Alter User Passwords

Latest News

• SonicWall SSLVPN Vulnerability Exploited in Cyber Attacks: Urgent Call for Patching
• Critical Remote Code Execution Vulnerability Detected in Veeam Backup & Replication Software
• Cisco Addresses Command Injection Vulnerability with Public Exploit Code
• Cisco Merchandise Store Compromised by Hackers Using Malicious JavaScript
• Google Addresses Actively Exploited Android Flaw: Releases Monthly Security Update