A vital safety vulnerability in Cisco Unified Communications and Contact Center Solutions (UC/CC) might enable unauthenticated distant code execution (RCE).
The bug (CVE-2024-20253, 9.9 CVSS) arises due to “improper processing of user-provided knowledge that’s being learn into reminiscence,” in response to Cisco’s advisoryissued yesterday.
Remote attackers who should not logged onto the system can merely ship specifically crafted messages to a weak machine’s listening port in an effort to obtain RCE; from there, they will execute code on the underlying working system with the privileges of the Web providers person, and/or acquire root entry.
Cisco’s UC/CC platforms are utilized by small and mid-sized companies (SMBs) and enterprises to supply communications over IP, together with voice calling, video calls, cellular integration, chat and messaging, app integrations, and extra. As such, machine compromise might have a lot of dangerous outcomes, together with: locking up an group’s communications infrastructure with ransomware and disrupting customer support interactions; permitting cyberattackers to infiltrate IP telephones and different endpoints hooked into the system; eavesdropping on communications; knowledge exfiltration; recon for follow-on phishing assaults; and extra.
Cisco’s advisory affords an inventory of affected variations and corresponding patches. For these unable to instantly replace, the networking big additionally detailed a mitigation path. This includes establishing entry management lists (ACLs) on middleman gadgets that separate the UC/CC cluster from the remainder of the community, “to permit entry solely to the ports of deployed providers.”