Cisco patches critical vulnerability in Unified Communications products
Cisco fixed a critical flaw this week that affects multiple Unified Communications and Contact Center Solutions products and could be exploited remotely by unauthenticated attackers to execute arbitrary code on impacted devices. Medium severity vulnerabilities have also been patched in Cisco Small Business Series Switches and Cisco Unity Connection.
The critical bug is tracked as CVE-2024-20253 and is rated 9.9 out of 10 on the CVSS severity scale. It’s caused by insecure processing of user-supplied data that’s being loaded into memory and can be exploited by sending a specially crafted message to one of the network communication ports opened on the device.
“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said in its advisory. “With access to the underlying operating system, the attacker could also establish root access on the affected device.”
The CVE-2024-20253 vulnerability impacts multiple products in their default configurations including Unified Communications Manager (Unified CM), Unified Communications Manager IM & Presence Service (Unified CM IM&P), Unified Communications Manager Session Management Edition (Unified CM SME), Unified Contact Center Express (UCCX), Unity Connection and Virtualized Voice Browser.
Cisco Unified Communications is a product suite for enterprises to unify voice, video, and data communications over IP-based networks. The Unified Communications Manager is used for call control and session management and Unity Connection is a unified messaging solution that allows users to access messages from lets users access messages from an email inbox, web browser, Cisco Jabber, Cisco Unified IP Phone, smartphone, or tablet.
Cisco customers urged to patch products or mitigate the vulnerability
Customers are urged to deploy the released patches for all the impacted products as soon as possible, but if they have to delay patching they should place the vulnerable devices between firewalls or switches that enforce access control lists and only allow access to ports necessary for deployed services. Security best practices and hardening guides are available for both Cisco Unified Communications Manager and Cisco Unified ICM/Contact Center Enterprise.
