Cisco Issues Critical Security Updates for Smart Licensing Utility and Identity Services Engine
Cisco has released patches addressing two critical security vulnerabilities in its Smart Licensing Utility, which could allow unauthenticated, remote attackers to escalate privileges or gain access to sensitive information.
The first flaw, identified as **CVE-2024-20439** (CVSS score: 9.8), is caused by an undocumented static user credential for an administrative account, allowing attackers to log into compromised systems. The second, **CVE-2024-20440** (CVSS score: 9.8), results from an overly verbose debug log file that could be exploited through a crafted HTTP request, enabling attackers to extract credentials and access the API.
These vulnerabilities, while discovered independently, require Cisco Smart Licensing Utility to be actively running and were identified during internal security testing. Cisco Smart Software Manager On-Prem and Smart Software Manager Satellite products are not affected. Users of Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are urged to upgrade to version 2.3.0, which is unaffected.
In addition, Cisco has patched a command injection vulnerability (**CVE-2024-20469**, CVSS score: 6.0) in its Identity Services Engine (ISE), which could allow authenticated, local attackers to execute arbitrary commands and elevate privileges to root. The flaw affects Cisco ISE versions 3.2 and 3.3, with respective patch releases in September and October 2024. A proof-of-concept exploit is available, although Cisco has not observed any active exploitation of the bug.