Cisco revealed a critical vulnerability, CVE-2024-20439, in its Smart Licensing Utility, allowing unauthorized access due to a hardcoded static password found by an independent researcher.
CVE-2024-20439
This vulnerability mainly affects the Cisco Smart Licensing Utility, which is available for both Windows and Linux platforms. To investigate, the researcher downloaded the Linux version and extracted its contents using standard command-line tools.
This utility is designed as an Electron application, which allows for cross-platform compatibility, and it operates on top of a REST API developed in Golang, enabling communication and functionality within the application.
The REST API is set to listen on all network interfaces by default, making it vulnerable to potential external attacks. The researcher, as noted in Starkeblog, used the Ghidra Golang Extension to analyze the cslu-api binary and discovered a hardcoded password: “Library4C$LU.” This password is found in the APIClient.js file of the Electron component, allowing unauthorized access via HTTP Basic Authentication.
Electron Component
The critical credentials were located in the resources/app.asar file within the installer package. This .asar file is an Electron archive that can be extracted to access its contents.
The APIClient.js file contains the following code snippet:
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
var axios_1 = require("axios");
var https = require("https");
var rxjs_1 = require("rxjs");
var APIClient = /** @class */ (function () {
function APIClient(config) {
this.protocol = "http";
this.apiHost = "localhost";
this.apiPort = 4596;
this.apiEndpointPath = "/cslu/v1";
this.basicAuthUserName = "cslu-windows-client";
this.basicAuthPassword = "Library4C$LU";
if (!!APIClient.getInstance()) {
return APIClient.getInstance();
}
[...]
This code shows that versions 2.0.0 to 2.2.0 of the application use these credentials for HTTP Basic Authentication, creating a serious security risk.
The vulnerability is severe as the cslu-api process listens on all network interfaces, making it easy for attackers to exploit. Versions 2.0.0 and 2.1.0 also use these credentials, leaving them equally vulnerable.
The researcher recommends creating tools or Metasploit modules to exploit this vulnerability and extract data from compromised systems. However, they stress that updating to version 2.3.0 or later eliminates this risk by removing the hardcoded password.
Organizations using Cisco’s Smart Licensing Utility are advised to update their software immediately to prevent exploitation. Cisco’s advisory includes instructions for securing affected systems and mitigating risks. This discovery highlights the need for strong security practices in software development, as hardcoded credentials can pose serious risks.
As cybersecurity threats change, organizations must stay vigilant and proactive in protecting their systems against vulnerabilities like CVE-2024-20439.
Leave A Comment