Home Intel Hub T01 - SANS Internet Storm Center, InfoCON: green Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440, (Wed, Mar 19th)

Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440, (Wed, Mar 19th)

SANS Internet Storm Center, InfoCON: green 2025-03-19

In September, Cisco published an advisory noting two vulnerabilities [1]:

  • CVE-2024-20439: Cisco Smart Licensing Utility Static Credential Vulnerability
  • CVE-2024-20440: Cisco Smart Licensing Utility Information Disclosure Vulnerability

These two vulnerabilities are somewhat connected. The first one is one of the many backdoors Cisco likes to equip its products with. A simple fixed password that can be used to obtain access. The second one is a log file that logs more than it should. Using the first vulnerability, an attacker may access the log file. A quick search didn’t show any active exploitation, but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory [2]. So it is no surprise that we are seeing some exploit activity:

The API affected by this vulnerability can be found at /cslu/v1. One of the sample requests:

GET /cslu/v1/scheduler/jobs HTTP/1.1 Host: [redacted]:80 Authorization: Basic Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU= Connection: close  

The base64 encoded string decodes to: cslu-windows-client:Library4C$LU , the credentials Nicholas's blog identified.

The same group looking for this URL is also attempting several other attacks. Most are just looking for configuration files like "/web.config.zip", and interestingly, they also picked to scan for what looks like CVE-2024-0305  (but I am not sure about that. I base this on the exploit found on GitHub [3]). Other vulnerability notes suggest a different URL for this vulnerability. Either way, it is likely a vulnerability in a DVR.

GET /classes/common/busiFacade.php HTTP/1.1 Host: [redacted]:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Authorization: Basic aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw== Content-Type: application/x-www-form-urlencoded Connection: close

In this case, the credentials decode to: helpdeskIntegrationUser:dev-C4F8025E .  It's always fun to see how cheap IoT devices and expensive enterprise security software share similar basic vulnerabilities.

[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw [2] https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html [3] https://github.com/jidle123/cve-2024-0305exp/blob/main/cve-2024-0305.py

--- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|HTTP recquest for /cslu/v1/scheduler/jobs with default credentials

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.