The networking giant Cisco addressed a severe security flaw affecting its Unified Communications Products. Exploiting the vulnerability could allow remote code execution on target devices. Cisco urges users to update their systems with the latest software release at the earliest to receive the fix.
Critical RCE Flaw Riddled Cisco Unified Communication Products
As disclosed through a recent advisory, Cisco patched a critical severity remote code execution flaw affecting its Unified Communications Products.
Specifically, the vulnerability existed due to “improper processing of user-provided data that is being read into memory.” An adversary could exploit the flaw by sending maliciously crafted messages to the listening port of the target device. Once done, the attacker could execute arbitrary codes on the target system with the web services user privileges. In worst-case exploitation, the attacker could also gain root access to the target system.
Regarding the vulnerable Cisco products, the advisory mentions the following devices.
- Unified Communications Manager (Unified CM)
- Unified Communications Manager IM & Presence Service (Unified CM IM&P)
- Unified Communications Manager Session Management Edition (Unified CM SME)
- Unified Contact Center Express (UCCX)
- Unity Connection
- Virtualized Voice Browser (VVB)
While the firm confirmed no active workarounds for this vulnerability, they did share a mitigation strategy to address the flaw. It includes establishing separate access control lists (ACLs) on intermediary devices, allowing access to the ports of deployed services, and separating vulnerable devices from the rest of the network. In cases where an immediate software update isn’t possible, this mitigation can help protect vulnerable devices from potential threats. Nonetheless, Cisco leaves it to the users to decide whether applying the mitigation suits their environments.
Cisco identified this vulnerability, CVE-2024-20253, as a critical severity flaw that achieved a CVSS score of 9.9. The firm acknowledged the security researcher Julien Egloff from Synacktiv for discovering and reporting this matter.
Let us know your thoughts in the comments.