Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new critical vulnerability in Cisco Unified Communications Manager (CM) and Contact Center Solutions products, has been identified.

An attacker, by exploiting this vulnerability, could achieve remote code execution on affected systems with the privileges of the web services user.

Cisco’s Unified Communications and Contact Center Solutions are integrated solutions that provide enterprise-level voice, video, and messaging services, as well as customer engagement and management.

This vulnerability, tracked as CVE-2024-20253, is due to the improper processing of user-provided data that is being read into memory.

An attacker could exploit this vulnerability by sending a specially crafted message to a listening port of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the operating system with the privileges of the web services user. With access to the operating system, the attacker could also establish root access on the affected device.

CVE(s)

Affected Systems

• Packaged Contact Center Enterprise (PCCE) versions 12.0 and earlier, 12.5(1) and 12.5(2)
• Unified Communications Manager (Unified CM) versions 11.5, 12.5(1), and 14. (same for Unified CM SME)
• Unified Communications Manager IM & Presence Service (Unified CM IM&P) versions 11.5(1), 12.5(1), and 14.
• Unified Contact Center Enterprise (UCCE) versions 12.0 and earlier, 12.5(1), and 12.5(2).
• Unified Contact Center Express (UCCX) versions 12.0 and earlier and 12.5(1).
• Unity Connection versions 11.5(1), 12.5(1), and 14.
• Virtualized Voice Browser (VVB) versions 12.0 and earlier, 12.5(1), and 12.5(2).

Recommendation(s)

You should proceed immediately and apply all relevant security patches provided by the vendor.

While there are no workarounds that address this issue, the vendor is urging admins to set up access control lists to limit access, where applying the updates is not immediately possible.

Specifically, users are recommended to implement ACLs on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network.

The ACLs must be configured to allow access only to the ports of deployed services, effectively controlling the traffic that can reach the affected components.

Before deploying any mitigation measures, admins should evaluate their applicability and potential impact on the environment, and test them in a controlled space to ensure business operations are not impacted.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-20253
• https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-flaw-in-communications-software/