Cisco is warning that a number of of its Unified Communications Supervisor (CM) and Contact Middle Options merchandise are weak to a essential severity distant code execution safety challenge.
Cisco’s Unified Communications and Contact Middle Options are built-in options that present enterprise-level voice, video, and messaging providers, in addition to buyer engagement and administration.
The corporate has revealed a safety bulletin to warn concerning the vulnerability, at present tracked as CVE-2024-20253, which might permit an unauthenticated, distant attacker to execute arbitrary code on an affected gadget.
The vulnerability was found by Synacktiv researcher Julien Egloff and acquired a 9.9 base rating out of a most of 10. It’s attributable to improper processing of user-provided knowledge learn into reminiscence.
Attackers might exploit it by sending a specifically crafted message to a listening port, doubtlessly gaining the flexibility to execute arbitrary instructions with the privileges of the online providers consumer, and set up root entry.
CVE-2024-20253 impacts the next Cisco merchandise of their default configurations:
- Packaged Contact Middle Enterprise (PCCE) variations 12.0 and earlier, 12.5(1) and 12.5(2)
- Unified Communications Supervisor (Unified CM) variations 11.5, 12.5(1), and 14. (similar for Unified CM SME)
- Unified Communications Supervisor IM & Presence Service (Unified CM IM&P) variations 11.5(1), 12.5(1), and 14.
- Unified Contact Middle Enterprise (UCCE) variations 12.0 and earlier, 12.5(1), and 12.5(2).
- Unified Contact Middle Specific (UCCX) variations 12.0 and earlier and 12.5(1).
- Unity Connection variations 11.5(1), 12.5(1), and 14.
- Virtualized Voice Browser (VVB) variations 12.0 and earlier, 12.5(1), and 12.5(2).
The seller says there may be no workaround and the advisable motion is to use the accessible safety updates. The next releases tackle the essential distant code execution (RCE) flaw:
- PCCE: 12.5(1) and 12.5(2) apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn.
- Unified CM and Unified CME: 12.5(1)SU8 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512. 14SU3 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512.
- Unified CM IM&P: 12.5(1)SU8 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512. 14SU3 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512.
- UCCE: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1) and 12.5(2).
- UCCX: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1).
- VVB: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1) and 12.5(2).
Cisco advises admins to arrange entry management lists (ACLs) as a mitigation technique for case the place making use of the updates isn’t instantly attainable.
Particularly, customers are advisable to implement ACLs on middleman units that separate the Cisco Unified Communications or Cisco Contact Middle Options cluster from customers and the remainder of the community.
The ACLs should be configured to permit entry solely to the ports of deployed providers, successfully controlling the site visitors that may attain the affected elements.
Earlier than deploying any mitigation measures, admins ought to consider their applicability and potential impression on the surroundings, and take a look at them in a managed area to make sure enterprise operations should not impacted.
The corporate notes that it isn’t conscious of any public bulletins or malicious use of the vulnerability.