Cisco fixed a critical flaw this week that affects multiple Unified Communications and Contact Center Solutions products and could be exploited remotely by unauthenticated attackers to execute arbitrary code on impacted devices. Medium severity vulnerabilities have also been patched in Cisco Small Business Series Switches and Cisco Unity Connection.
The critical bug is tracked as CVE-2024-20253 and is rated 9.9 out of 10 on the CVSS severity scale. It’s caused by insecure processing of user-supplied data that’s being loaded into memory and can be exploited by sending a specially crafted message to one of the network communication ports opened on the device.
“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said in its advisory. “With access to the underlying operating system, the attacker could also establish root access on the affected device.”
The CVE-2024-20253 vulnerability impacts multiple products in their default configurations including Unified Communications Manager (Unified CM), Unified Communications Manager IM & Presence Service (Unified CM IM&P), Unified Communications Manager Session Management Edition (Unified CM SME), Unified Contact Center Express (UCCX), Unity Connection and Virtualized Voice Browser.
Cisco Unified Communications is a product suite for enterprises to unify voice, video, and data communications over IP-based networks. The Unified Communications Manager is used for call control and session management and Unity Connection is a unified messaging solution that allows users to access messages from lets users access messages from an email inbox, web browser, Cisco Jabber, Cisco Unified IP Phone, smartphone, or tablet.
Cisco customers urged to patch products or mitigate the vulnerability
Customers are urged to deploy the released patches for all the impacted products as soon as possible, but if they have to delay patching they should place the vulnerable devices between firewalls or switches that enforce access control lists and only allow access to ports necessary for deployed services. Security best practices and hardening guides are available for both Cisco Unified Communications Manager and Cisco Unified ICM/Contact Center Enterprise.
“While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions,” the company warned. “Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations.”
Lower risk Cisco vulnerabilities also patched
Separately, Cisco Unity Connection also received patches for a cross-site scripting (XSS) vulnerability in its web-based management interface. This flaw is tracked as CVE-2024-20305 and has a CVSS rating of 4.8. Attackers can exploit this flaw by tricking an authenticated user into clicking on a specially crafted link that will execute arbitrary code in their browser in the context of the Unity Connection interface. This can be used to read sensitive information.
Finally, a vulnerability was fixed in Cisco Business 250 Series Smart Switches and Business 350 Series Managed Switches that could allow unauthenticated remote attackers to bypass access control lists in a stacked switch configuration. The vulnerability, CVE-2024-20263, is rated with only medium severity because the attacker cannot control the conditions for a device to become vulnerable. This only happens when the primary or backup switches experience a full stack reload or power cycle.