In September, Cisco published an advisory noting two vulnerabilities [1]:

• CVE-2024-20439: Cisco Smart Licensing Utility Static Credential Vulnerability
• CVE-2024-20440: Cisco Smart Licensing Utility Information Disclosure Vulnerability

These two vulnerabilities are somewhat connected. The first one is one of the many backdoors Cisco likes to equip its products with. A simple fixed password that can be used to obtain access. The second one is a log file that logs more than it should. Using the first vulnerability, an attacker may access the log file. A quick search didn’t show any active exploitation, but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory [2]. So it is no surprise that we are seeing some exploit activity:

The API affected by this vulnerability can be found at /cslu/v1. One of the sample requests:

GET /cslu/v1/scheduler/jobs HTTP/1.1
Host: [redacted]:80
Authorization: Basic Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU=
Connection: close
 

The base64 encoded string decodes to: cslu-windows-client:Library4C$LU , the credentials Nicholas's blog identified.

The same group looking for this URL is also attempting several other attacks. Most are just looking for configuration files like "/web.config.zip", and interestingly, they also picked to scan for what looks like CVE-2024-0305  (but I am not sure about that. I base this on the exploit found on GitHub [3]). Other vulnerability notes suggest a different URL for this vulnerability. Either way, it is likely a vulnerability in a DVR.

GET /classes/common/busiFacade.php HTTP/1.1
Host: [redacted]:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Authorization: Basic aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw==
Content-Type: application/x-www-form-urlencoded
Connection: close

In this case, the credentials decode to: helpdeskIntegrationUser:dev-C4F8025E . 
It's always fun to see how cheap IoT devices and expensive enterprise security software share similar basic vulnerabilities.

[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
[2] https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html
[3] https://github.com/jidle123/cve-2024-0305exp/blob/main/cve-2024-0305.py

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|