Cisco has launched patches to handle a crucial safety flaw impacting Unified Communications and Contact Middle Options merchandise that would allow an unauthenticated, distant attacker to execute arbitrary code on an affected system.
Tracked as CVE-2024-20253 (CVSS rating: 9.9), the problem stems from improper processing of user-provided information {that a} risk actor might abuse to ship a specifically crafted message to a listening port of a prone equipment.
“A profitable exploit might permit the attacker to execute arbitrary instructions on the underlying working system with the privileges of the online companies person,” Cisco stated in an advisory. “With entry to the underlying working system, the attacker might additionally set up root entry on the affected system.”
Synacktiv safety researcher Julien Egloff has been credited with discovering and reporting CVE-2024-20253. The next merchandise are impacted by the flaw –
- Unified Communications Supervisor (variations 11.5, 12.5(1), and 14)
- Unified Communications Supervisor IM & Presence Service (variations 11.5(1), 12.5(1), and 14)
- Unified Communications Supervisor Session Administration Version (variations 11.5, 12.5(1), and 14)
- Unified Contact Middle Categorical (variations 12.0 and earlier and 12.5(1))
- Unity Connection (variations 11.5(1), 12.5(1), and 14), and
- Virtualized Voice Browser (variations 12.0 and earlier, 12.5(1), and 12.5(2))
Whereas there are not any workarounds that handle the shortcoming, the networking tools maker is urging customers to arrange entry management lists to restrict entry the place making use of the updates just isn’t instantly potential.
“Set up entry management lists (ACLs) on middleman units that separate the Cisco Unified Communications or Cisco Contact Middle Options cluster from customers and the remainder of the community to permit entry solely to the ports of deployed companies,” the corporate stated.
The disclosure arrives weeks after Cisco shipped fixes for a crucial safety flaw impacting Unity Connection (CVE-2024-20272, CVSS rating: 7.3) that would allow an adversary to execute arbitrary instructions on the underlying system.
