Cisco has launched patches to deal with a essential safety flaw impacting Unified Communications and Contact Middle Options merchandise that might allow an unauthenticated, distant attacker to execute arbitrary code on an affected machine.
Tracked as CVE-2024-20253 (CVSS rating: 9.9), the problem stems from improper processing of user-provided knowledge {that a} risk actor may abuse to ship a specifically crafted message to a listening port of a inclined equipment.
“A profitable exploit may permit the attacker to execute arbitrary instructions on the underlying working system with the privileges of the net providers consumer,” Cisco stated in an advisory. “With entry to the underlying working system, the attacker may additionally set up root entry on the affected machine.”
Synacktiv safety researcher Julien Egloff has been credited with discovering and reporting CVE-2024-20253. The next merchandise are impacted by the flaw –
- Unified Communications Supervisor (variations 11.5, 12.5(1), and 14)
- Unified Communications Supervisor IM & Presence Service (variations 11.5(1), 12.5(1), and 14)
- Unified Communications Supervisor Session Administration Version (variations 11.5, 12.5(1), and 14)
- Unified Contact Middle Categorical (variations 12.0 and earlier and 12.5(1))
- Unity Connection (variations 11.5(1), 12.5(1), and 14), and
- Virtualized Voice Browser (variations 12.0 and earlier, 12.5(1), and 12.5(2))
Whereas there aren’t any workarounds that tackle the shortcoming, the networking gear maker is urging customers to arrange entry management lists to restrict entry the place making use of the updates isn’t instantly attainable.
“Set up entry management lists (ACLs) on middleman gadgets that separate the Cisco Unified Communications or Cisco Contact Middle Options cluster from customers and the remainder of the community to permit entry solely to the ports of deployed providers,” the corporate stated.
The disclosure arrives weeks after Cisco shipped fixes for a essential safety flaw impacting Unity Connection (CVE-2024-20272, CVSS rating: 7.3) that might allow an adversary to execute arbitrary instructions on the underlying system.
