Cisco Smart Licensing Utility Vulnerabilities Under Hacker Exploitation

Recent reports indicate that hackers are actively trying to exploit two critical vulnerabilities in the Cisco Smart Licensing Utility.

These vulnerabilities, identified as CVE-2024-20439 and CVE-2024-20440, were disclosed by Cisco in September.

The first vulnerability involves a static credential issue, while the second is an information disclosure vulnerability related to excessive logging.

Overview of the Vulnerabilities

• CVE-2024-20439: Cisco Smart Licensing Utility Static Credential Vulnerability
  This vulnerability involves the use of a fixed password that could allow attackers unauthorized access to affected systems. This type of vulnerability is not uncommon in software, acting as a backdoor for product maintenance or troubleshooting.
• CVE-2024-20440: Cisco Smart Licensing Utility Information Disclosure Vulnerability
  This vulnerability relates to an issue where log files disclose more sensitive information than intended. By exploiting the first vulnerability, attackers can potentially access these log files, leading to further security risks.

Exploit Attempts and Activity

According to the SANS Institute report, Details about the vulnerabilities, including the backdoor credentials, were published shortly after the advisory was released.

It has been noted that exploit attempts are focused on the API endpoint located at /cslu/v1. One of the observed requests includes:

GET /cslu/v1/scheduler/jobs HTTP/1.1

Host: [redacted]:80

Authorization: Basic Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU=

Connection: close

The base64 encoded string in this request decodes to cslu-windows-client:Library4C$LU, which were previously identified by a blog post by Nicholas Starke as default credentials.

The group behind these exploits is also probing for other vulnerabilities, including scanning for configuration files like “/web.config.zip”.

They are also targeting what appears to be a DVR-related vulnerability, possibly CVE-2024-0305, although the exact CVE is uncertain. Another exploit attempt involves different credentials:

GET /classes/common/busiFacade.php HTTP/1.1

Host: [redacted]:80

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36

Authorization: Basic aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw==

Content-Type: application/x-www-form-urlencoded

Connection: close

These credentials decode to helpdeskIntegrationUser:dev-C4F8025E.

The vulnerability in Cisco’s Smart Licensing Utility highlights a broader issue where both low-cost IoT devices and high-end enterprise security software often share similar basic vulnerabilities.

As hackers continue to exploit such weaknesses, organizations must remain vigilant and promptly apply patches to protect their systems.

Recommendations for Users:

1. Update and Patch: Ensure all software and systems are updated with the latest security patches.
2. Monitor Activity: Regularly monitor system logs for unusual access attempts.
3. Secure Credentials: Use strong passwords and avoid default credentials whenever possible.

In today’s cyber landscape, proactive security measures can significantly mitigate the risk of successful exploits.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free