Cisco unified comms systems patched against RCE – Security


Users of a variety of Cisco unified communications products need to check if their environment is subject to a critical-rated vulnerability.



CVE-2024-20253 is a remote code execution (RCE) vulnerability present in the default configuration of the company’s Packaged Contact Center Enterprise, Unified Communications Manager, Unified Communications Manager IM and Presence Service, Unified Communications Manager Session Management Edition, Unified Contact Center Enterprise, Unified Contact Center Express, Unity Connection, and Virtualized Voice Browser.

The bug, reported by Julien Egloff from Synacktiv, occurs when the system processes user-provided data that’s being read into memory.

“An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device,” Cisco’s advisory said. 

A successful exploit “could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user.

“With access to the underlying operating system, the attacker could also establish root access on the affected device,” the advisory continued.

The only mitigation mentioned in the advisory is to use access control lists to separate users, and the rest of the network, from the unified communications or contact centre clusters, allowing access only to “the ports of deployed services”.

This week, the company also patched a high-rated vulnerability in the command line interface (CLI) of its SD-WAN software.

CVE-2022-20716 is an access control bug that allows a local attacker to escalate their privilege to root.

Reported by Joris Oversteyns, the vulnerability affects the company’s vBond orchestrator software, SD-WAN vEdge routers (including cloud routers), vManage software, and vSmart controller software.



Source link