Cisco has launched patches to handle a critical security flaw impacting Unified Communications and Call Heart Options solutions that could permit an unauthenticated, distant attacker to execute arbitrary code on an influenced device.
Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue stems from poor processing of person-delivered knowledge that a menace actor could abuse to send a specially crafted message to a listening port of a prone equipment.
“A thriving exploit could make it possible for the attacker to execute arbitrary commands on the fundamental functioning technique with the privileges of the web products and services person,” Cisco said in an advisory. “With access to the underlying functioning method, the attacker could also build root obtain on the influenced machine.”
Synacktiv security researcher Julien Egloff has been credited with exploring and reporting CVE-2024-20253. The next goods are impacted by the flaw –
- Unified Communications Manager (versions 11.5, 12.5(1), and 14)
- Unified Communications Manager IM & Presence Provider (variations 11.5(1), 12.5(1), and 14)
- Unified Communications Supervisor Session Administration Version (versions 11.5, 12.5(1), and 14)
- Unified Get hold of Middle Express (variations 12. and before and 12.5(1))
- Unity Relationship (variations 11.5(1), 12.5(1), and 14), and
- Virtualized Voice Browser (variations 12. and previously, 12.5(1), and 12.5(2))
Although there are no workarounds that handle the shortcoming, the networking gear maker is urging consumers to established up access management lists to limit accessibility wherever applying the updates is not immediately achievable.
“Build access handle lists (ACLs) on middleman units that individual the Cisco Unified Communications or Cisco Contact Center Options cluster from users and the rest of the network to let entry only to the ports of deployed providers,” the corporation reported.
The disclosure comes months soon after Cisco shipped fixes for a critical security flaw impacting Unity Link (CVE-2024-20272, CVSS rating: 7.3) that could permit an adversary to execute arbitrary commands on the fundamental system.
Uncovered this posting appealing? Stick to us on Twitter and LinkedIn to read far more exclusive material we submit.
Some parts of this article are sourced from:
thehackernews.com