Attackers have started targeting Cisco Smart Licensing Utility (CSLU) instances unpatched against a vulnerability exposing a built-in backdoor admin account.
The CSLU Windows application allows admins to manage licenses and linked products on-premises without connecting them to Cisco’s cloud-based Smart Software Manager solution.
Cisco patched this security flaw (tracked as CVE-2024-20439) in September, describing it as “an undocumented static user credential for an administrative account” that can let unauthenticated attackers log into unpatched systems remotely with admin privileges over the API of the CSLU app.
The company also addressed a second critical CLSU information disclosure vulnerability (CVE-2024-20440) that unauthenticated attackers can use to access log files containing sensitive data (including API credentials) by sending crafted HTTP requests to vulnerable devices.
These two vulnerabilities only impact systems running vulnerable Cisco Smart Licensing Utility releases and are only exploitable if the user starts the CSLU app—which isn’t designed to run in the background by default.
Aruba threat researcher Nicholas Starke reverse-engineered the vulnerability and published a write-up with technical details (including the decoded hardcoded static password) roughly two weeks after Cisco released security patches.
Targeted in attacks
SANS Technology Institute’s Dean of Research Johannes Ullrich reported that threat actors are now chaining the two security flaws in exploitation attempts targeting CSLU instances exposed on the Internet.
“A quick search didn’t show any active exploitation [at the time], but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory. So it is no surprise that we are seeing some exploit activity,” Ullrich said.
While the end goal of these attacks is not known, the threat actor behind them is also trying to exploit other security vulnerabilities, including what looks like an information disclosure flaw with a public proof-of-concept exploit (CVE-2024-0305) impacting Guangzhou Yingke Electronic DVRs.
Cisco’s security advisory for CVE-2024-20439 and CVE-2024-20440 still says that its Product Security Incident Response Team (PSIRT) has found no evidence that threat actors exploit the two security flaws in attacks.
CVE-2024-20439 isn’t the first backdoor account Cisco removed from its products in recent years, with previous hardcoded credentials found in the company’s Digital Network Architecture (DNA) Center, IOS XE, Wide Area Application Services (WAAS), and Emergency Responder software.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
-
-
-
-
-
-
-
-
