Cisco patches critical flaws in Smart Licensing Utility and Identity Services Engine

Earlier this week, Cisco introduced new patches that fix bugs in different products, which allowed threat actors to log in to, or take over, vulnerable devices.

First, it addressed an OS command injection vulnerability, caused by insufficient validation of user-supplied input, found in Cisco’s Identity Service Engine (ISE). This one is tracked as CVE-2024-20469, and carries a severity score of 6.0. Cisco’s ISE is a network access control and policy management platform that enables organizations to enforce security policies across their network.

In theory, a local attacker could submit a malicious CLI command and escalate privileges on vulnerable systems to root, but they need to have admin rights on the unpatched system to begin with.

Bugs in SLU

“A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root,” Cisco said in an advisory, adding that it is aware of proof-of-concept code circulating online. So far, there is no evidence of successful abuse, though.

Versions 3.2 and 3.3 are affected, and to secure their premises, admins should upgrade to 3.2P7 and 3.3P4, respectively.

The second flaw that was recently addressed is a backdoor account that was found in Cisco’s Smart Licensing Utility Windows (SLU) software. SLU is a tool that helps manage and activate software licenses for Cisco products using the Smart Licensing system. The bug, described as an “undocumented static user credential for an administrative account,” is tracked as CVE-2024-20439, and carries a severity score of 9.8.

The third flaw, tracked as CVE-2024-20440, is due to excessive verbosity in a debug log file. As a result, crooks could access sensitive information, remotely. This one, too, has a 9.8 severity score.

SLU versions 2.0.0, 2.1.0, and 2.2.0, were said to be vulnerable. The first fixed version is 2.3.0.

Via BleepingComputer

More from TechRadar Pro

https://cdn.mos.cms.futurecdn.net/HNekN3koBpwwwTby8U44ik-1200-80.jpg

Source link

Cybersecurity teams struggling to keep up with growing threat levels

Raspberry Pi takes a shot at AI with a camera and on-device processing

Four months since they launched, there’s not been a day I haven’t worn the Sonos Ace headphones

Can Apple beat Meta’s smart glasses by adding cameras and AI to AirPods Pro?

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Morgan Stanley says China stocks set for rally, names stocks

Piramal Pharma stock in focus on $80 million expansion plan for Kentucky injectables facility

Dollar sturdy after Powell pushes back on aggressive easing bets By Reuters

How to invest in the fourth quarter, according to the pros

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Cisco patches critical flaws in Smart Licensing Utility and Identity Services Engine

Morgan Stanley says China stocks set for rally, names stocks

Piramal Pharma stock in focus on $80 million expansion plan for Kentucky injectables facility

Dollar sturdy after Powell pushes back on aggressive easing bets By Reuters

How to invest in the fourth quarter, according to the pros

Leave a reply Cancel reply