Cisco Unified Communications Products Remote Code Execution Vulnerability (CVE-2024-20253)

Qualys Security Advisory

Cisco has released patches to address CVE-2024-20253 impacting Unified Communications Products. The vulnerability has a critical severity rating with a CVSS score of 9.9. Successful exploitation of the vulnerability may lead to remote code execution.

Julien Egloff from Synacktiv has discovered and reported the vulnerability. Cisco has mentioned in the advisory that they are unaware of any updates on the active exploitation of the vulnerability.

Cisco Voice and Unified Communications products unify voice, video, data, and mobile applications on fixed and mobile networks. The products help stay connected and productive with messaging, presence, enterprise social, and application development.

Vulnerability Description

The vulnerability originates from the improper processing of user-provided data being read into memory. An attacker may exploit this vulnerability by sending a crafted message to a listening port of an affected device. An unauthenticated, remote attacker must have the privileges of the web services user to exploit the vulnerability. An attacker could establish root access to the affected device with access to the underlying operating system.

Affected Products

CVE-2024-20253 affects the following Cisco products in the default configuration:

  • Unity Connection
  • Virtualized Voice Browser (VVB)
  • Unified Contact Center Express (UCCX)
  • Unified Contact Center Enterprise (UCCE)
  • Packaged Contact Center Enterprise (PCCE)
  • Unified Communications Manager (Unified CM)
  • Unified Communications Manager IM & Presence Service (Unified CM IM&P)
  • Unified Communications Manager Session Management Edition (Unified CM SME)

Affected Versions

Unified CM and Unified CM SME:

  • Version 11.5(1) before release 12.5(1)SU8 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512
  • Version 14 before release 14SU3 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512

Unified CM IM and P:

  • Version 11.5(1) before release 12.5(1)SU8 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512
  • Version 14 before release 14SU3 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512

Unity Connection:

  • Version 11.5(1) before release 12.5(1)SU8 or ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512
  • Version 14 before release ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512

PCCE and UCCE:

  • Versions 12.5(1) and 12.5(2) before release ucos.v1_java_deserial-CSCwd64245.cop.sgn

UCCX:

  • Version 12.5(1) before release ucos.v1_java_deserial-CSCwd64245.cop.sgn

VVB:

  • Versions 12.5(1) and 12.5(2) before release ucos.v1_java_deserial-CSCwd64245.cop.sgn

Mitigation

Customers can refer to the Cisco Security Advisory (cisco-sa-cucm-rce-bWNzQcUm) for information about patches released for the vulnerability.

Qualys Detection

Qualys customers can scan their devices with QID 317410 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm

READ MORE