September 5, 2024 at 08:55AM
Cisco announced patches for multiple vulnerabilities, including two critical flaws in Smart Licensing Utility and a medium-severity Identity Services Engine flaw, with existing proof-of-concept code. The Smart Licensing bugs could allow remote unauthenticated access or logins, and Cisco advises migrating to version 2.3.0. Additionally, patches were announced for other high and medium-severity vulnerabilities.
From the meeting notes, I have gathered the following key takeaways:
1. Cisco announced patches for multiple vulnerabilities, including two critical-severity flaws in Smart Licensing Utility and a medium-severity Identity Services Engine (ISE) flaw for which proof-of-concept (PoC) code exists.
2. The Smart Licensing Utility bugs, CVE-2024-20439 and CVE-2024-20440, pose a severe risk with a CVSS score of 9.8. They could allow remote, unauthenticated attackers to access sensitive information or gain administrative login privileges. Cisco recommends migrating to Smart License Utility version 2.3.0 to mitigate these vulnerabilities.
3. The Identity Services Engine (ISE) vulnerability, tracked as CVE-2024-20469, is of medium severity. It involves specific CLI commands that could allow authenticated attackers to inject commands on the underlying operating system and elevate privileges to root. Patches for this vulnerability will be included in ISE version 3.2P7 and version 3.3P4.
4. Cisco also announced patches for a high-severity code execution bug in Cisco Meraki Systems Manager (SM) agent for Windows, and for medium-severity flaws in Expressway Edge (Expressway-E) and Duo Epic for Hyperdrive.
5. The company states that it is not aware of any of these vulnerabilities being exploited in the wild.
I can assist in summarizing further details or taking any specific actions based on the meeting notes.