A critical vulnerability in Cisco Unity Connection – a messaging and voicemail product that forms part of the networking supplier’s unified communications lineup – could enable unauthenticated and remote attackers to gain root privileges on targeted systems, and needs to be addressed immediately.
The flaw, which has been assigned CVE-2024-20272, lies within the web-based management interface of Unity Connection. It has arisen due to a lack of authentication in a specific application programming interface (API) and improper validation of user-supplier data.
“An attacker could exploit this vulnerability by uploading arbitrary files to an affected system. A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root,” Cisco said in an advisory published at 4pm GMT on Wednesday 10 January.
“Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability,” it said.
The vulnerability is currently known to affect versions 12.5 and earlier, and 14, of Unity Connection. The most recent version, 15, is unaffected.
Cisco is urging users of Unity Connection to obtain and apply the free update that will address the issue, which is credited to security researcher Maxim Suslov. More information is available from Cisco.
It added that its PSIRT was not aware of any public disclosures or malicious use of the vulnerability at this time.
The Cisco Unity Connection product is described as a “robust unified messaging and voicemail solution” that enables users to access and manage their messages from their email inbox, a web browser, Cisco Jabber, Cisco Unified IP Phone, smartphone or tablet.
It boasts a range of message access and delivery format options, such as support for voice commands, speech-to-text transcription and video greetings.
Designed for complex distributed global deployments with a particular focus on branch offices, the product is fully virtualised and can be run on specification-based hardware.
Additional vulnerabilities
Alongside the patch for CVE-2024-20272, Cisco also released fixes for 10 additional vulnerabilities of lesser severity:
- CVE-2024-20251, a cross-site scripting vulnerability in Cisco Identity Services Engine.
- CVE-2024-20270, a cross-site scripting vulnerability in Cisco BroadWorks Application Delivery Platform and Xtended Services Platform.
- CVE-2023-20257, -20258, -20260 and -20271, a quarter of infrastructure vulnerabilities in Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure.
- CVE-2024-20287, a command injection vulnerability in Cisco WAP371 Wireless Access Point.
- CVE-2024-20277, a privilege escalation vulnerability in Cisco ThousandEyes Enterprise Agent Virtual Appliance.
- And CVE-2023-20248 and -20249, a pair of cross-site scripting vulnerabilities in Cisco Telepresence Management Suite.
All of these vulnerabilities are assessed to be of medium importance, carrying CVSS scores of between 4.8 and 6.8. Further details of each one are available via Cisco’s security advisory microsite.
Brian Contos, Sevco Security
Updated fixes for two further privilege escalation vulnerabilities in Cisco Identity Services Engine – CVE-2023-20193 and -20194 – were released on 8 January. These issues were first published in September 2023.
Comenting on the updates, Brian Contos, chief security officer of Sevco Security, a specialist in asset visibility and management, said: “It seems like every day we hear about another critical vulnerability with the potential to wreak havoc that enterprise security teams rush to patch before moving on to the next one. The most significant risk for enterprises isn’t the speed at which they are applying critical patches; it comes from not applying the patches on every asset.
“The simple fact is that most organisations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets – including those that are abandoned or forgotten about – are accounted for. It’s impossible to defend your network when you can’t see the entire attack surface. That’s why the ability to develop a comprehensive, real-time inventory of IT assets is a foundational element of any successful security programme.”