Cisco on Wednesday announced patches for multiple vulnerabilities, including two critical-severity flaws in Smart Licensing Utility and a medium-severity Identity Services Engine flaw for which proof-of-concept (PoC) code exists.
The Smart Licensing Utility bugs, tracked as CVE-2024-20439 and CVE-2024-20440 (CVSS score of 9.8), could allow remote, unauthenticated attackers to access sensitive information or log in as administrators.
CVE-2024-20439, Cisco notes in its advisory, exists because an undocumented static user credential for an administrative account is present in the Smart Licensing Utility.
“An attacker could exploit this vulnerability by using the static credentials to log in to the affected system. A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application,” the tech giant explains.
CVE-2024-20440, on the other hand, is caused by excessive verbosity in a debug log file, which could allow an attacker to send a crafted HTTP request and obtain log files containing sensitive data, including credentials.
With no workarounds available for the security defect, Cisco recommends migrating to Smart License Utility version 2.3.0, which is not vulnerable.
The Identity Services Engine (ISE) vulnerability, tracked as CVE-2024-20469, is a medium-severity issue in specific CLI commands that could allow authenticated attackers to inject commands on the underlying operating system and elevate privileges to root.
“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command,” Cisco explains.
The tech giant says that patches for the bug will be included in ISE version 3.2P7 (which rolls out this month), and in version 3.3P4 (expected to be released in October), and warns that PoC code targeting the vulnerability is available.
On Wednesday, Cisco also announced patches for a high-severity code execution bug in Cisco Meraki Systems Manager (SM) agent for Windows, and for medium-severity flaws in Expressway Edge (Expressway-E) and Duo Epic for Hyperdrive.
The company says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on Cisco’s security advisories page.
Related: Cisco Patches Multiple NX-OS Software Vulnerabilities
Related: Cisco Patches High-Severity Vulnerability Reported by NSA
Related: Cisco Cuts Thousands of Jobs, 7% of Workforce, As It Shifts Focus to AI, Cybersecurity
Related: Cisco to Acquire Isovalent, Add eBPF Tech to Cloud Portfolio
