Cisco has issued patches to remedy a severe security vulnerability affecting its Unified Communications and Contact Center Solutions products. This flaw, identified as CVE-2024-20253 with a CVSS score of 9.9, arises from mishandling user-provided data, enabling a potential attacker to execute arbitrary code on a vulnerable device without authentication.
The vulnerability originates from the improper processing of user-input data, allowing malicious actors to send specially crafted messages to a listening port of an exposed appliance. If successfully exploited, the attacker could execute arbitrary commands on the device’s underlying operating system with the privileges of the web services user. Additionally, gaining access to the operating system could lead to establishing root access on the compromised device.
Security researcher Julien Egloff from Synacktiv is credited with discovering and reporting CVE-2024-20253. The impacted products include Unified Communications Manager (versions 11.5, 12.5(1), and 14), Unified Communications Manager IM & Presence Service (versions 11.5(1), 12.5(1), and 14), Unified Communications Manager Session Management Edition (versions 11.5, 12.5(1), and 14), Unified Contact Center Express (versions 12.0 and earlier, and 12.5(1)), Unity Connection (versions 11.5(1), 12.5(1), and 14), and Virtualized Voice Browser (versions 12.0 and earlier, 12.5(1), and 12.5(2)).
While there are no immediate workarounds available, Cisco advises users to implement access control lists (ACLs) on intermediary devices to restrict access to ports of deployed services, particularly in scenarios where applying the updates may take time.
This disclosure follows recent efforts by Cisco to address another critical security flaw affecting Unity Connection (CVE-2024-20272, CVSS score: 7.3), which could also enable attackers to execute arbitrary commands on the underlying system.