- 247/2024
- Critical
Cisco has released security updates to fix several vulnerabilities affecting multiple Cisco products.
The addressed vulnerabilities could allow the attacker to bypass security restrictions, obtain sensitive information, or gain elevated privileges to the affected product.
Sample of the addressed vulnerabilities:
1. Cisco Smart Licensing Utility Static Credential Vulnerability (CVE-2024-20439):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
2. Cisco Smart Licensing Utility Information Disclosure Vulnerability (CVE-2024-20440):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
3. Cisco Identity Services Engine Command Injection Vulnerability (CVE-2024-20469):
- CVSS: 6
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Privileges
Affected Products:
- Cisco Smart Licensing Utility.
- Cisco Meraki SM Agent for Windows.
- Cisco ISE.
- Cisco Expressway-E.
- Cisco Duo Epic for Hyperdrive.
It should be highlighted that Cisco PSIRT is aware of the proof-of-concept exploit code that is available for the vulnerability “CVE-2024-20469”.
Vulnerabilities
- CVE-2024-20503
- CVE-2024-20497
- CVE-2024-20469
- CVE-2024-20430
- CVE-2024-20440
- CVE-2024-20439
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.