Thursday, December 5, 2024
HomeCVE/vulnerabilityResearcher Details Cisco Smart Licensing that Lets Attacker Control Device

Researcher Details Cisco Smart Licensing that Lets Attacker Control Device

Published on

SIEM as a Service

Cisco disclosed a critical vulnerability identified as CVE-2024-20439, affecting its Smart Licensing Utility.

An independent researcher discovered this vulnerability through reverse engineering. It involves a hardcoded static password that could allow attackers to gain unauthorized access and control over affected devices.

The vulnerability highlights significant security concerns for organizations using Cisco’s licensing systems.

- Advertisement - SIEM as a Service

Target Application

This vulnerability primarily affects the Cisco Smart Licensing Utility, which is available for Windows and Linux platforms.

The researcher downloaded the Linux version and extracted its contents using standard command-line tools. The utility is built as an Electron application on top of a REST API written in Golang.

 The REST API listens on all network interfaces by default, exposing it to potential external threats. 

According to the Starkeblog, the researcher utilized the Ghidra Golang Extension to analyze the cslu-api binary, uncovering the hardcoded password “Library4C$LU.”

This password is embedded within the APIClient.js file of the Electron component, facilitating unauthorized access through HTTP Basic Authentication.

Download Free Incident Response Plan Template for Your Security Team – Free Download

Electron Component

The critical credentials were found in the resources/app.asar file within the installer package. The .asar file is an Electron archive that can be extracted to reveal its contents.

The APIClient.js file contains the following code snippet:

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
var axios_1 = require("axios");
var https = require("https");
var rxjs_1 = require("rxjs");
var APIClient = /** @class */ (function () {
    function APIClient(config) {
        this.protocol = "http";
        this.apiHost = "localhost";
        this.apiPort = 4596;
        this.apiEndpointPath = "/cslu/v1";
        this.basicAuthUserName = "cslu-windows-client";
        this.basicAuthPassword = "Library4C$LU";
        if (!!APIClient.getInstance()) {
            return APIClient.getInstance();
        }
        [...]

This code reveals that versions 2.0.0 to 2.2.0 of the application use these credentials for HTTP Basic Authentication, posing a significant security risk.

Analysis and Next Steps

The vulnerability is particularly severe because the cslu-api process listens on all network interfaces, allowing attackers with network access to exploit it easily.

Versions 2.0.0 and 2.1.0 also share these credentials, making them equally vulnerable. 

Golang binary
Golang binary

The researcher suggests further analysis could involve developing tools or Metasploit modules to exploit this vulnerability and extract data from compromised systems.

However, they emphasize that updating to version 2.3.0 or later mitigates this risk by removing the hardcoded password. 

Organizations using Cisco’s Smart Licensing Utility are urged to update their software immediately to protect against potential exploitation.

Cisco’s advisory provides detailed instructions on securing affected systems and mitigating risks associated with this vulnerability.

This discovery underscores the importance of robust security practices in software development and deployment. Hardcoded credentials pose significant risks and should be avoided in production environments.

As cybersecurity threats evolve, organizations must remain vigilant and proactive in safeguarding their systems against vulnerabilities like CVE-2024-20439.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...