Cisco on Wednesday announced patches for a critical-severity vulnerability in multiple Unified Communications and Contact Center Solutions products.
The issue, tracked as CVE-2024-20253 (CVSS score of 9.9), exists because user-provided data is not properly processed when read into memory.
“An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco explains in its advisory.
An attacker able to exploit the security defect to access the OS could gain root access to a vulnerable device, the tech giant says.
The flaw impacts the default configuration of Packaged Contact Center Enterprise, Unified Communications Manager, Unified Communications Manager IM & Presence Service, Unified Communications Manager Session Management Edition, Unified Contact Center Enterprise, Unified Contact Center Express, Unity Connection, and Virtualized Voice Browser.
Cisco has released security updates to address the issue in all affected products and recommends that all customers update to a patched version as soon as possible, noting that no workarounds are available.
However, the company points out that customers can mitigate the bug by implementing access control lists (ACLs) on intermediary devices to separate the vulnerable products from the network.
On Wednesday, Cisco also announced patches for two medium-severity flaws in Business 250 and Business 350 series switches, and in Unity Connection.
An access control list (ACL) management security defect in the switches could allow an unauthenticated, remote attacker to bypass protections and cause traffic to drop or be forwarded in an unexpected manner.
Unity Connection, Cisco says, is affected by a cross-site scripting (XSS) bug in the web-based management interface that could lead to the execution of arbitrary script code. An attacker would have to convince a user to click on a malicious link to successfully exploit the flaw.
Cisco says it is not aware of any of these vulnerabilities being exploited in malicious attacks. Additional information on the bugs can be found on Cisco’s security advisories page.