Cisco has released security updates for two critical security flaws impacting its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information.
A brief description of the two vulnerabilities is below –
While these shortcomings are not dependent on each other for them to be successful, Cisco notes in its advisory that they “are not exploitable unless Cisco Smart Licensing Utility was started by a user and is actively running.”
The flaws, which were discovered during internal security testing, also do not affect Smart Software Manager On-Prem and Smart Software Manager Satellite products.
Users of Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are advised to update to a fixed release. Version 2.3.0 of the software is not susceptible to the bug.
Cisco has also released updates to resolve a command injection vulnerability in its Identity Services Engine (ISE) that could permit an authenticated, local attacker to run arbitrary commands on an underlying operating system and elevate privileges to root.
The flaw, tracked as CVE-2024-20469 (CVSS score: 6.0), requires an attacker to have valid administrator privileges on an affected device.
“This vulnerability is due to insufficient validation of user-supplied input,” the company said. “An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.”
It impacts the following versions –
The company has also warned that a proof-of-concept (PoC) exploit code is available, although it’s not aware of any malicious exploitation of the bug.
