- The new lowest price on the M4 Mac Mini isn't at Amazon's early Spring Sale - here's where to buy instead
- These smart glasses beat the Meta Ray-Bans in key ways, and they're $180 ahead Amazon's Spring Sale
- Amazon's Spring Sale starts soon. Here's everything you need to know: Dates, deals, and more
- Goodbye legacy networks, hello “cafe-like” branch
- I switched to Mac Studio M4 for two weeks - a Windows PC user's buying advice
Attackers probing backdoor flaw in popular Cisco Smart Licensing Utility, warns SANS
Backdoor secrecy
The hardcoded password flaw, identified as CVE-2024-20439, could be exploited to achieve administrator privileges via the app’s API. The second flaw, CVE-2024-20440, could allow an attacker to obtain log files containing sensitive data such as API credentials.
With both given an identical CVSS score of 9.8, it’s a toss-up as to which is the worst of the two. However, the vulnerabilities could clearly be used together in ways that amplify their danger, making patching even more imperative. The affected versions of CSLU are 2.0.0, 2.1.0, and 2.2.0; version 2.3.0 is the patched version.
CSLU is a recent product, so one might have expected it to be better secured. That said, Cisco has a history of this type of flaw, with hardcoded credentials being discovered in Cisco Firepower Threat Defense, Emergency Responder, and further back in Digital Network Architecture (DNA) Center, to name only some of the affected products.
As Ullrich of the SANS wrote rather sarcastically in the organization’s new warning: “The first one [CVE-2024-20439] is one of the many backdoors Cisco likes to equip its products with.”
