Cisco is warning that a number of of its Unified Communications Supervisor (CM) and Contact Heart Options merchandise are susceptible to a vital severity distant code execution security challenge.
Cisco’s Unified Communications and Contact Heart Options are built-in options that present enterprise-level voice, video, and messaging companies, in addition to buyer engagement and administration.
The corporate has printed a security bulletin to warn in regards to the vulnerability, at present tracked as CVE-2024-20253, which might permit an unauthenticated, distant attacker to execute arbitrary code on an affected machine.
The vulnerability was found by Synacktiv researcher Julien Egloff and acquired a 9.9 base rating out of a most of 10. It’s brought on by improper processing of user-provided knowledge learn into reminiscence.
Attackers might exploit it by sending a specifically crafted message to a listening port, doubtlessly gaining the power to execute arbitrary instructions with the privileges of the online companies consumer, and set up root entry.
CVE-2024-20253 impacts the next Cisco merchandise of their default configurations:
- Packaged Contact Heart Enterprise (PCCE) variations 12.0 and earlier, 12.5(1) and 12.5(2)
- Unified Communications Supervisor (Unified CM) variations 11.5, 12.5(1), and 14. (identical for Unified CM SME)
- Unified Communications Supervisor IM & Presence Service (Unified CM IM&P) variations 11.5(1), 12.5(1), and 14.
- Unified Contact Heart Enterprise (UCCE) variations 12.0 and earlier, 12.5(1), and 12.5(2).
- Unified Contact Heart Specific (UCCX) variations 12.0 and earlier and 12.5(1).
- Unity Connection variations 11.5(1), 12.5(1), and 14.
- Virtualized Voice Browser (VVB) variations 12.0 and earlier, 12.5(1), and 12.5(2).
The seller says there’s no workaround and the advisable motion is to use the accessible security updates. The next releases deal with the vital distant code execution (RCE) flaw:
- PCCE: 12.5(1) and 12.5(2) apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn.
- Unified CM and Unified CME: 12.5(1)SU8 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512. 14SU3 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512.
- Unified CM IM&P: 12.5(1)SU8 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512. 14SU3 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512.
- UCCE: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1) and 12.5(2).
- UCCX: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1).
- VVB: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1) and 12.5(2).
Cisco advises admins to arrange entry management lists (ACLs) as a mitigation technique for case the place making use of the updates isn’t instantly doable.
Particularly, customers are advisable to implement ACLs on middleman gadgets that separate the Cisco Unified Communications or Cisco Contact Heart Options cluster from customers and the remainder of the community.
The ACLs have to be configured to permit entry solely to the ports of deployed companies, successfully controlling the visitors that may attain the affected elements.
Earlier than deploying any mitigation measures, admins ought to consider their applicability and potential impression on the atmosphere, and check them in a managed house to make sure enterprise operations should not impacted.
The corporate notes that it’s not conscious of any public bulletins or malicious use of the vulnerability.
