Cisco has launched patches to deal with a important security flaw impacting Unified Communications and Contact Middle Options merchandise that might allow an unauthenticated, distant attacker to execute arbitrary code on an affected gadget.
Tracked as CVE-2024-20253 (CVSS rating: 9.9), the problem stems from improper processing of user-provided information {that a} menace actor might abuse to ship a specifically crafted message to a listening port of a prone equipment.
“A profitable exploit might permit the attacker to execute arbitrary instructions on the underlying working system with the privileges of the online providers consumer,” Cisco mentioned in an advisory. “With entry to the underlying working system, the attacker might additionally set up root entry on the affected gadget.”
Synacktiv security researcher Julien Egloff has been credited with discovering and reporting CVE-2024-20253. The next merchandise are impacted by the flaw –
- Unified Communications Supervisor (variations 11.5, 12.5(1), and 14)
- Unified Communications Supervisor IM & Presence Service (variations 11.5(1), 12.5(1), and 14)
- Unified Communications Supervisor Session Administration Version (variations 11.5, 12.5(1), and 14)
- Unified Contact Middle Categorical (variations 12.0 and earlier and 12.5(1))
- Unity Connection (variations 11.5(1), 12.5(1), and 14), and
- Virtualized Voice Browser (variations 12.0 and earlier, 12.5(1), and 12.5(2))
Whereas there aren’t any workarounds that handle the shortcoming, the networking gear maker is urging customers to arrange entry management lists to restrict entry the place making use of the updates will not be instantly attainable.
“Set up entry management lists (ACLs) on middleman gadgets that separate the Cisco Unified Communications or Cisco Contact Middle Options cluster from customers and the remainder of the community to permit entry solely to the ports of deployed providers,” the corporate mentioned.
The disclosure arrives weeks after Cisco shipped fixes for a important security flaw impacting Unity Connection (CVE-2024-20272, CVSS rating: 7.3) that might allow an adversary to execute arbitrary instructions on the underlying system.
