Critical Cisco Unified Communications RCE Bug Allows Root Access
The vulnerability, tracked as CVE-2024-20253, makes enterprise communications infrastructure and customer service call centers sitting ducks for unauthenticated cyberattackers.
January 25, 2024
A critical security vulnerability in Cisco Unified Communications and Contact Center Solutions (UC/CC) could allow unauthenticated remote code execution (RCE).
The bug (CVE-2024-20253, 9.9 CVSS) arises thanks to "improper processing of user-provided data that is being read into memory," according to Cisco's advisory, issued yesterday.
Remote attackers who are not logged onto the system can simply send specially crafted messages to a vulnerable device's listening port in order to achieve RCE; from there, they can execute code on the underlying operating system with the privileges of the Web services user, and/or gain root access.
Cisco's UC/CC platforms are used by small and midsized businesses (SMBs) and enterprises to provide communications over IP, including voice calling, video calls, mobile integration, chat and messaging, app integrations, and more. As such, device compromise could have a number of bad outcomes, including: locking up an organization's communications infrastructure with ransomware and disrupting customer service interactions; allowing cyberattackers to infiltrate IP phones and other endpoints hooked into the system; eavesdropping on communications; data exfiltration; recon for follow-on phishing attacks; and more.
Cisco's advisory offers a list of affected versions and corresponding patches. For those unable to immediately update, the networking giant also detailed a mitigation path. This involves establishing access control lists (ACLs) on intermediary devices that separate the UC/CC cluster from the rest of the network, "to allow access only to the ports of deployed services."
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024