Cisco warns of critical RCE flaw in communications software – Source: www.bleepingcomputer.com

Cisco is warning that several of its Unified Communications Manager (CM) and Contact Center Solutions products are vulnerable to a critical severity remote code execution security issue.

Cisco’s Unified Communications and Contact Center Solutions are integrated solutions that provide enterprise-level voice, video, and messaging services, as well as customer engagement and management.

The company has published a security bulletin to warn about the vulnerability, currently tracked as CVE-2024-20253, which could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

The vulnerability was discovered by Synacktiv researcher Julien Egloff and received a 9.9 base score out of a maximum of 10. It is caused by improper processing of user-provided data read into memory.

Attackers could exploit it by sending a specially crafted message to a listening port, potentially gaining the ability to execute arbitrary commands with the privileges of the web services user, and establish root access.

CVE-2024-20253 impacts the following Cisco products in their default configurations:

• Packaged Contact Center Enterprise (PCCE) versions 12.0 and earlier, 12.5(1) and 12.5(2)
• Unified Communications Manager (Unified CM) versions 11.5, 12.5(1), and 14. (same for Unified CM SME)
• Unified Communications Manager IM & Presence Service (Unified CM IM&P) versions 11.5(1), 12.5(1), and 14. 
• Unified Contact Center Enterprise (UCCE) versions 12.0 and earlier, 12.5(1), and 12.5(2).
• Unified Contact Center Express (UCCX) versions 12.0 and earlier and 12.5(1).
• Unity Connection versions 11.5(1), 12.5(1), and 14.
• Virtualized Voice Browser (VVB) versions 12.0 and earlier, 12.5(1), and 12.5(2).

The vendor says there is no workaround and the recommended action is to apply the available security updates. The following releases address the critical remote code execution (RCE) flaw:

• PCCE: 12.5(1) and 12.5(2) apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn.
• Unified CM and Unified CME: 12.5(1)SU8 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512. 14SU3 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512.
• Unified CM IM&P: 12.5(1)SU8 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512. 14SU3 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512.
• UCCE: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1) and 12.5(2).
• UCCX: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1).
• VVB: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1) and 12.5(2).

Cisco advises admins to set up access control lists (ACLs) as a mitigation strategy for case where applying the updates is not immediately possible.

Specifically, users are recommended to implement ACLs on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network.

The ACLs must be configured to allow access only to the ports of deployed services, effectively controlling the traffic that can reach the affected components.

Before deploying any mitigation measures, admins should evaluate their applicability and potential impact on the environment, and test them in a controlled space to ensure business operations are not impacted.

The company notes that it is not aware of any public announcements or malicious use of the vulnerability.