September 5, 2024 at 12:58AM
Cisco has issued security updates to address critical flaws in its Smart Licensing Utility and Identity Services Engine (ISE). Affecting versions 2.0.0, 2.1.0, and 2.2.0, the flaws could enable unauthenticated, remote attackers to elevate privileges or access sensitive information. Additionally, a command injection vulnerability in ISE versions 3.2 and 3.3 has also been resolved.
From the meeting notes, there are several key takeaways:
1. Cisco has released security updates for two critical security flaws in its Smart Licensing Utility that could allow unauthenticated, remote attackers to elevate their privileges or access sensitive information. The vulnerabilities are CVE-2024-20439 and CVE-2024-20440.
2. These vulnerabilities do not affect Smart Software Manager On-Prem and Smart Software Manager Satellite products.
3. Users of Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 are advised to update to a fixed release. Version 2.3.0 is not susceptible to the bug.
4. Additionally, Cisco has released updates to resolve a command injection vulnerability in its Identity Services Engine (ISE) that could permit an authenticated, local attacker to run arbitrary commands on an underlying operating system and elevate privileges to root. This flaw is tracked as CVE-2024-20469 and impacts Cisco ISE 3.2 (3.2P7 – Sep 2024) and Cisco ISE 3.3 (3.3P4 – Oct 2024).
5. The company has also warned that a proof-of-concept (PoC) exploit code is available, although it’s not aware of any malicious exploitation of the bug.
These are critical issues that should be communicated promptly to relevant stakeholders, and appropriate actions should be taken to address and mitigate them.