Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440, (Wed, Mar 19th)
思科发布两个漏洞(CVE-2024-20439和CVE-2024-20440),涉及固定密码后门和日志文件泄露问题。攻击者可利用后门访问日志,并尝试获取配置文件或其他漏洞信息。相关细节已公开,导致部分利用活动出现。 2025-3-19 13:30:37 Author: isc.sans.edu(查看原文) 阅读量:11 收藏

In September, Cisco published an advisory noting two vulnerabilities [1]:

  • CVE-2024-20439: Cisco Smart Licensing Utility Static Credential Vulnerability
  • CVE-2024-20440: Cisco Smart Licensing Utility Information Disclosure Vulnerability

These two vulnerabilities are somewhat connected. The first one is one of the many backdoors Cisco likes to equip its products with. A simple fixed password that can be used to obtain access. The second one is a log file that logs more than it should. Using the first vulnerability, an attacker may access the log file. A quick search didn’t show any active exploitation, but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory [2]. So it is no surprise that we are seeing some exploit activity:

The API affected by this vulnerability can be found at /cslu/v1. One of the sample requests:

GET /cslu/v1/scheduler/jobs HTTP/1.1
Host: [redacted]:80
Authorization: Basic Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU=
Connection: close
 

The base64 encoded string decodes to: cslu-windows-client:Library4C$LU , the credentials Nicholas's blog identified.

The same group looking for this URL is also attempting several other attacks. Most are just looking for configuration files like "/web.config.zip", and interestingly, they also picked to scan for what looks like CVE-2024-0305  (but I am not sure about that. I base this on the exploit found on GitHub [3]). Other vulnerability notes suggest a different URL for this vulnerability. Either way, it is likely a vulnerability in a DVR.

GET /classes/common/busiFacade.php HTTP/1.1
Host: [redacted]:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Authorization: Basic aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw==
Content-Type: application/x-www-form-urlencoded
Connection: close

In this case, the credentials decode to: helpdeskIntegrationUser:dev-C4F8025E
It's always fun to see how cheap IoT devices and expensive enterprise security software share similar basic vulnerabilities.

[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
[2] https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html
[3] https://github.com/jidle123/cve-2024-0305exp/blob/main/cve-2024-0305.py

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|HTTP recquest for /cslu/v1/scheduler/jobs with default credentials


文章来源: https://isc.sans.edu/diary/rss/31782
如有侵权请联系:admin#unsafe.sh