Cisco has confirmed that attackers are actively targeting vulnerabilities in the Cisco Smart Licensing Utility (CSLU) application. These flaws allow unauthorized access through a built-in backdoor admin account, posing significant security risks to affected systems.
Details of the Vulnerabilities
The vulnerabilities are tracked as CVE-2024-20439 and CVE-2024-20440.
- CVE-2024-20439: This vulnerability involves an undocumented static user credential for an administrative account. It enables unauthenticated attackers to remotely access unpatched systems with admin privileges via the CSLU app’s API.
- CVE-2024-20440: This issue allows unauthenticated attackers to gain access to sensitive log files, which may contain API credentials, by sending crafted HTTP requests to vulnerable devices.
Both vulnerabilities affect systems running specific versions of the CSLU application and can be exploited only if the user has launched the app, which does not run in the background by default.
Exploitation Reports of Cisco Smart Licensing Utility flaws
Nicholas Starke, a threat researcher at Aruba, reverse-engineered these vulnerabilities and published technical details shortly after Cisco’s patch release. His findings included the decoded hardcoded static password, amplifying concerns over potential exploits.
According to Johannes Ullrich from the SANS Technology Institute, threat actors are now chaining these vulnerabilities in attacks targeting CSLU instances exposed online.
Ullrich stated, “A quick search didn’t show any active exploitation [at the time], but details, including the backdoor credentials, were published in a blog… So it is no surprise that we are seeing some exploit activity.”
Lack of Evidence of Exploitation
Cisco’s security advisory indicates that their Product Security Incident Response Team (PSIRT) has found no evidence of exploitation related to these vulnerabilities at this time. Despite this, the potential for attacks remains concerning, as the end goal of these exploits is unclear. Threat actors seem to be leveraging other vulnerabilities as well, including CVE-2024-0305, which affects Guangzhou Yingke Electronic DVRs.
CVE-2024-20439 is not the first instance of backdoor accounts in Cisco products. The company has previously addressed hardcoded credentials in various software solutions, including their Digital Network Architecture (DNA) Center and IOS XE.
