Cisco is alerting users to a significant remote code execution security issue that affects several of its Unified Communications Manager (CM) and Contact Center Solutions products. These integrated solutions offer enterprise-level services for voice, video, and messaging, as well as customer engagement and management.
A security bulletin has been released by Cisco to inform about this vulnerability, currently labelled as CVE-2024-20253, which could enable an unauthenticated, remote attacker to run arbitrary code on a targeted device. The flaw was found by Julien Egloff, a researcher at Synacktiv, and it has been given a base score of 9.9 out of a possible 10. The root cause of this vulnerability is the incorrect handling of data input by users into memory.
The exploit could be triggered by an attacker sending a specifically designed message to a listening port. This could potentially provide the attacker with the ability to run arbitrary commands with the privileges of the web services user, and to establish root access. The vulnerability, CVE-2024-20253, affects the following Cisco products in their default configurations.
Cisco has stated that there is no workaround for this issue. The recommended action is to apply the security updates that are now available. The releases that address the critical remote code execution (RCE) flaw have been listed by Cisco.
In situations where it is not immediately possible to apply the updates, Cisco advises administrators to establish access control lists (ACLs) as a strategy to mitigate the risk. Specifically, it is recommended to implement ACLs on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network. The ACLs should be configured to allow access only to the ports of deployed services, thereby controlling the traffic that can reach the affected components.
Before implementing any mitigation measures, administrators should assess their suitability and potential impact on the environment. They should also be tested in a controlled environment to ensure that business operations are not adversely affected. Cisco has noted that it is not aware of any public announcements or malicious use of the vulnerability.