- Security researchers say that two Cisco smart license service bugs are mistreated in the wild
- One of the bugs is a hard coded administration account
- The two bugs were corrected in 2024, so users should update now
Cybercriminals abuse two vulnerabilities found in Cisco Smart Licensing Utility (CSLU) for unknown purposes.
Johannes Ullrich, dean of research at the Sans Technology Institute, the actors threatened with threats now follow the two security defects to target CSLU instances exposed to the Internet.
“A quick search did not show any active exploitation at the time, but the details, including the identification information of the stolen door, were published in a blog of Nicholas Starke shortly after Cisco published his opinion. It is therefore not surprising that we see an exploitation activity,” said Ullrich.
No bypass
CSLU is a tool that helps organizations to manage and report the use of Cisco software licenses in a more flexible and automated way.
It allows devices to connect to the Cisco smart license system, either directly or via a satellite server on site, to record and follow rights without requiring constant internet access.
In September 2024, Cisco announced the CVE-2024-20439 correction, “static static static identification information for an administrative account”, which is a sophisticated way of saying that someone left administration coded in the back.
Vulnerability has enabled threat actors to connect to vulnerable remote systems, on the API or the CSLU application.
At the same time, Cisco addressed CVE-2024-20440, a vulnerability to disclose information that the actors threaten the actors used to access newspaper files with sensitive information such as API identification information.
Abusing these faults is not so simple, Bleeping Compompute, because he forces the victim to execute the CSLU application in the background, which is not his default parameter.
In all cases, the two vulnerabilities have been corrected and there is no bypass, so the only way to secure your instances is to apply the patch.
In the security notice of defects, Cisco said that he was “aware” of any public announcement or malicious use, which means that the pages have not yet been updated.
Via Bleeping Compompute
