Full Report
The SANS Technology Institute has issued a critical warning for organizations using Cisco's Smart Licensing Utility (CSLU), urging them to update their systems immediately to address two serious vulnerabilities. These flaws, which were first disclosed by Cisco in September 2024, pose cybersecurity risks. The vulnerabilities could allow attackers to gain unauthorized access to sensitive information or even take control of affected systems. The Cisco Smart Licensing Utility (CSLU) is primarily used in smaller, on-premises, and air-gapped networks to manage licenses for Cisco products. Unlike the more complex cloud-based Cisco Smart Licensing system, CSLU offers a simpler way to handle licensing in isolated environments. However, these new vulnerabilities—CVE-2024-20439 and CVE-2024-20440—have raised questions due to their potential to expose critical systems to cyberattacks. CVE-2024-20439 and CVE-2024-20440 [caption id="attachment_101557" align="alignnone" width="713"] Details of the vulnerabilities (Source: Cisco)[/caption] The vulnerabilities discovered within CSLU are notably concerning for their simplicity and severity. CVE-2024-20439, also known as the Static Credential Vulnerability, allows attackers to exploit an undocumented static user credential, granting them administrative access to systems running the affected versions of Cisco Smart Licensing Utility. This flaw is particularly dangerous because it can be exploited remotely, even by unauthenticated users, providing attackers with full administrative privileges via the application’s API. The second vulnerability, CVE-2024-20440, is an Information Disclosure Vulnerability. This flaw arises from excessive verbosity in a debug log file, which can expose sensitive information, including credentials that attackers could use to access the CSLU API. Both vulnerabilities are critical, with Cisco assigning a CVSS base score of 9.8, indicating their high severity. Exploitation and Early Indicators In a March 19 report, Johannes Ullrich, Dean of Research at SANS Technology Institute, warned that exploit attempts for these vulnerabilities have already been detected. The exploits target the backdoor credentials that were originally revealed shortly after Cisco’s public advisory in September. The SANS team identified that these credentials were being used in recent API calls. This is not surprising, as security researcher Nicholas Starke had previously reverse-engineered the flaws and shared the backdoor credentials on his blog. Ullrich emphasized that the vulnerability was exacerbated by Cisco’s public advisory, which inadvertently shared details of the backdoor credentials, making it easier for attackers to exploit the issue. The backdoor credentials, identified as cslu-windows-client:Library4C$LU, have been seen in exploit attempts targeting the CSLU API. Conclusion Cisco has confirmed that no workarounds are available for the critical vulnerabilities in the Cisco Smart Licensing Utility (CSLU), and the only solution is to apply the patches released by Cisco. Affected organizations should update to versions 2.0.0, 2.1.0, or 2.2.0, or upgrade to version 2.3.0 or later, which is not vulnerable. This situation highlights the importance of timely software updates to prevent exploitation. With active attacks already detected, organizations are urged to act immediately to secure their systems. For more information, users should visit Cisco’s advisory page or contact Cisco support.
Analysis Summary
# Vulnerability: Active Exploitation of Cisco CSLU Backdoor Credentials
## CVE Details
- CVE ID: CVE-2024-20439 and CVE-2024-20440 (Context is provided for both, suggesting immediate action is required for the associated CSLU flaws, though specific CVSS/CWE for *each* is not detailed in the summary provided, we focus on the reported context.)
- CVSS Score: Not explicitly provided, but the SANS alert suggests critical urgency.
- CWE: Related to hardcoded/leaked credentials facilitating backdoor access.
## Affected Systems
- Products: Cisco Smart Licensing Utility (CSLU)
- Versions: Versions prior to 2.0.0, 2.1.0, 2.2.0. (Vulnerable versions are those that need upgrading).
- Configurations: Any deployment running vulnerable versions of CSLU.
## Vulnerability Description
The vulnerabilities stem from exposed or leaked backdoor credentials (`cslu-windows-client:Library4C$LU`) originally revealed following a Cisco public advisory in September. These hardcoded/backdoor credentials allow attackers to interact directly with the CSLU API, bypassing normal authentication mechanisms. The publication of these credentials, inadvertently amplified post-advisory, made exploitation straightforward.
## Exploitation
- Status: Exploit attempts detected in the wild. SANS reported that exploit attempts leveraging these credentials in recent API calls have been detected.
- Complexity: Low (Due to publicly known credentials that reverse-engineering exposed).
- Attack Vector: Network (Targeting API calls).
## Impact
*Note: Specific impact ratings are not provided, but given active exploitation targeting CSLU credentials, the likely impact is severe.*
- Confidentiality: Likely High (Potential unauthorized access to licensing data/system information).
- Integrity: Likely High (Ability to manipulate utility functions).
- Availability: Potentially High (Disruption of licensing services).
## Remediation
### Patches
Cisco has confirmed **zero workarounds** are available. The only solution is patching:
- Affected organizations must upgrade to **Version 2.3.0 or later**.
- Versions 2.0.0, 2.1.0, or 2.2.0 are cited as versions that need upgrading to resolve the issue.
### Workarounds
- No workarounds are available according to Cisco. Immediate patching is required.
## Detection
- Indicators of Compromise (IOCs): Presence of API calls linked to the known backdoor credentials (`cslu-windows-client:Library4C$LU`).
- Detection Methods and Tools: Monitoring CSLU API traffic for authentication attempts using the aforementioned credentials. Security teams should review relevant logging, as highlighted by the SANS Technology Institute alert from March 19.
## References
- Vendor Advisory: cisco-sa-cslu-7gHMzWmw (Defanged link: hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw)
- SANS Report: (Implied urgency based on Johannes Ullrich alert)
- Researcher Disclosure: (Mention of Nicholas Starke's blog sharing credentials)