Cisco Update

Cisco recently issued patches to rectify a severe security vulnerability found in its Unified Communications and Contact Center Solutions products. This vulnerability, identified as CVE-2024-20253 with a high-risk CVSS score of 9.9, could potentially allow an unauthenticated, remote hacker to run arbitrary code on a compromised device.

The vulnerability is a result of incorrect handling of data supplied by users. Attackers could exploit this by sending a specially designed message to an open listening port on a vulnerable device.

According to Cisco’s advisory, a successful attack could enable the perpetrator to execute arbitrary commands with the same rights as the web services user on the operating system. This could potentially lead to the attacker gaining root access on the affected device.

Julien Egloff, a security researcher from Synacktiv, is credited with discovering and reporting this critical flaw. Affected products include:

  • Unified Communications Manager (versions 11.5, 12.5(1), and 14),
  • Unified Communications Manager IM & Presence Service (versions 11.5(1), 12.5(1), and 14),
  • Unified Communications Manager Session Management Edition (versions 11.5, 12.5(1), and 14),
  • Unified Contact Center Express (versions 12.0 and earlier, and 12.5(1)),
  • Unity Connection (versions 11.5(1), 12.5(1), and 14), and
  • Virtualized Voice Browser (versions 12.0 and earlier, 12.5(1), and 12.5(2))

Currently, there are no direct solutions to this vulnerability, but Cisco is advising users to implement access control lists (ACLs) as an interim measure to restrict access, especially in cases where the updates cannot be immediately applied. These ACLs should be set on intermediary devices to isolate the Cisco Unified Communications or Cisco Contact Center Solutions cluster, allowing access solely to the ports of deployed services.

This announcement comes shortly after Cisco addressed another critical security issue in Unity Connection, identified as CVE-2024-20272 with a CVSS score of 7.3, which also allowed attackers to run arbitrary commands on the system.