The SANS Technology Institute has issued a critical warning for organizations using Cisco’s Smart Licensing Utility (CSLU), urging them to update their systems immediately to address two serious vulnerabilities. These flaws, which were first disclosed by Cisco in September 2024, pose cybersecurity risks. The vulnerabilities could allow attackers to gain unauthorized access to sensitive information or even take control of affected systems.
The Cisco Smart Licensing Utility (CSLU) is primarily used in smaller, on-premises, and air-gapped networks to manage licenses for Cisco products. Unlike the more complex cloud-based Cisco Smart Licensing system, CSLU offers a simpler way to handle licensing in isolated environments. However, these new vulnerabilities—CVE-2024-20439 and CVE-2024-20440—have raised questions due to their potential to expose critical systems to cyberattacks.
CVE-2024-20439 and CVE-2024-20440
The vulnerabilities discovered within CSLU are notably concerning for their simplicity and severity. CVE-2024-20439, also known as the Static Credential Vulnerability, allows attackers to exploit an undocumented static user credential, granting them administrative access to systems running the affected versions of Cisco Smart Licensing Utility. This flaw is particularly dangerous because it can be exploited remotely, even by unauthenticated users, providing attackers with full administrative privileges via the application’s API.
The second vulnerability, CVE-2024-20440, is an Information Disclosure Vulnerability. This flaw arises from excessive verbosity in a debug log file, which can expose sensitive information, including credentials that attackers could use to access the CSLU API. Both vulnerabilities are critical, with Cisco assigning a CVSS base score of 9.8, indicating their high severity.
Exploitation and Early Indicators
In a March 19 report, Johannes Ullrich, Dean of Research at SANS Technology Institute, warned that exploit attempts for these vulnerabilities have already been detected. The exploits target the backdoor credentials that were originally revealed shortly after Cisco’s public advisory in September. The SANS team identified that these credentials were being used in recent API calls. This is not surprising, as security researcher Nicholas Starke had previously reverse-engineered the flaws and shared the backdoor credentials on his blog.
Ullrich emphasized that the vulnerability was exacerbated by Cisco’s public advisory, which inadvertently shared details of the backdoor credentials, making it easier for attackers to exploit the issue. The backdoor credentials, identified as cslu-windows-client:Library4C$LU, have been seen in exploit attempts targeting the CSLU API.
Conclusion
Cisco has confirmed that no workarounds are available for the critical vulnerabilities in the Cisco Smart Licensing Utility (CSLU), and the only solution is to apply the patches released by Cisco. Affected organizations should update to versions 2.0.0, 2.1.0, or 2.2.0, or upgrade to version 2.3.0 or later, which is not vulnerable.
This situation highlights the importance of timely software updates to prevent exploitation. With active attacks already detected, organizations are urged to act immediately to secure their systems. For more information, users should visit Cisco’s advisory page or contact Cisco support.
