The DSA wants to bring to your attention, that Cisco recently released security updates to address a critical vulnerability in its Unified Communications Products.

VULNERABILITY DETAILS:

• CVE-2024-20253
• CVSS Score: 9.9 Critical
• A Critical Remote Code Execution (RCE) vulnerability exists in multiple Cisco Unified Communications and Contact Center Solutions products. This vulnerability is due to the improper processing of user-provided data that is being read into memory, could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device by sending a crafted message to a listening port.
• A successful exploit of this vulnerability could allow attackers to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could then potentially gain root access on the affected device.

Affected Products:

• Unified Communications Manager (Unified CM)
• Unified Communications Manager IM & Presence Service (Unified CM IM&P)
• Unified Communications Manager Session Management Edition (Unified CM SME)
• Unified Contact Center Express (UCCX)
• Unity Connection
• Virtualized Voice Browser (VVB)

Mitigation:

Cisco recommends establishing access control lists (ACLs) on intermediary devices separating the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the ports of deployed services.

Note: Refer to Cisco security advisory here for fixed versions and more information

Recommendations:

The Digital Security Authority recommends to apply security updates recently released by Cisco.

The information presented in this report is based on available data up to the 25th of January 2024.