Summary
Cisco has released a security bulletin regarding a critical severity remote code execution for their Unified Communications Manager.
CVE-2024-20253 CVSS 3.1: 9.9 CRITICAL. This vulnerability allows an unauthenticated attacker to allow arbitrary code on the affected device. This can be done by specially crafted message to a listening port, this allows to gain the ability to execute arbitrary commands through the web service user, with privileges of a root user.
Affected products
- Packaged Contact Center Enterprise (PCCE) versions 12.0 and earlier, 12.5(1) and 12.5(2)
- Unified Communications Manager (Unified CM) versions 11.5, 12.5(1), and 14. (same for Unified CM SME)
- Unified Communications Manager IM & Presence Service (Unified CM IM&P) versions 11.5(1), 12.5(1), and 14.
- Unified Contact Center Enterprise (UCCE) versions 12.0 and earlier, 12.5(1), and 12.5(2).
- Unified Contact Center Express (UCCX) versions 12.0 and earlier and 12.5(1).
- Unity Connection versions 11.5(1), 12.5(1), and 14.
- Virtualized Voice Browser (VVB) versions 12.0 and earlier, 12.5(1), and 12.5(2).
Security recommendation
Cisco has no workarounds but has provided security updates to address the vulnerability.
- PCCE: 12.5(1) and 12.5(2) apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn.
- Unified CM and Unified CME: 12.5(1)SU8 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512. 14SU3 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512.
- Unified CM IM&P: 12.5(1)SU8 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512. 14SU3 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512.
- UCCE: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1) and 12.5(2).
- UCCX: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1).
- VVB: Apply patch ucos.v1_java_deserial-CSCwd64245.cop.sgn for 12.5(1) and 12.5(2).
Cisco recommends to place ACLs on the devices that cannot be updatete and configure to only allow access to ports of deployed services.
More info can be found here