CVE-2024-20253: Cisco Unified Comms Remote Code Execution Vulnerability

The Blue Report 2023

Analysis of 14m Attack Simulations Reveals Organizations Only Prevent 6 out of Every 10 Attacks.

DOWNLOAD

On January 24, 2024, Cisco disclosed a remote code execution vulnerability that affects Cisco Unified Communications Manager and Contact Center Solutions products [1]. CVE-2024-20253 vulnerability has a CVSS score of 9.9 (Critical). Cisco recommended organizations to apply security updates to address the vulnerability.

In this blog, we explained the Cisco CVE-2024-20253 Remote Code Execution vulnerability and how organizations can defend against CVE-2024-20253 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Cisco CVE-2024-20253 Remote Code Execution  Vulnerability Explained

Cisco Unified Communications Manager (CM) is a comprehensive suite of solutions designed to facilitate communication and collaboration within organizations. Unified CM integrates various communication channels, such as voice, video, messaging, and conferencing, into a unified platform. Cisco Contact Center Solutions is a comprehensive suite of products and services designed to enhance customer service within organizations. Similar to Unified CM, Cisco Contact Center Solutions streamlines customer interactions across various communication channels, including voice calls, emails, chat, social media, and SMS.

On January 24, 2024, Cisco disclosed a remote code execution vulnerability affecting both Cisco Unified Communications Manager and Contact Center Solutions. CVE-2024-20253 vulnerability allows an unauthenticated adversary to execute arbitrary commands remotely in a vulnerable system. The vulnerability is caused by the improper processing of user-provided data that is being read into memory. Adversaries may exploit the CVE-2024-20253 vulnerability by sending a malicious payload to a listening port of an affected product and the sent payload would be executed with web services user privileges. Adversaries may use this access to elevate their privileges to root. The list of affected devices are given below.

Affected Product

Affected Versions

Packaged Contact Center Enterprise (PCCE) 

version 12.0 and earlier

version 12.5(1)

version 12.5(2)

Unified Communications Manager (Unified CM & Unified CM SME) 

version 11.5

version 12.5(1)

version 14

Unified Communications Manager IM & Presence Service (Unified CM IM&P) 

version 11.5(1)

version 12.5(1)

version 14

Unified Contact Center Enterprise (UCCE) 

version 12.0 and earlier

version 12.5(1)

version 12.5(2)

Unified Contact Center Express (UCCX) 

version 12.0 and earlier

version 12.5(1)

Unity Connection

versions 11.5(1)

version 12.5(1)

version 14

Virtualized Voice Browser (VVB)

versions 12.0 and earlier

version 12.5(1)

version 12.5(2)

The vulnerability has a CVSS score of 9.9 (Critical) and has no work around. Organizations are advised to apply security updates as soon as possible. As for mitigation, Cisco suggested organizations establish access control lists (ACLs) to separate vulnerable products from the rest of the network and only allow access to ports of deployed services.

References

[1] “Cisco Security Advisory: Cisco Unified Communications Products Remote Code Execution Vulnerability,” Cisco, Jan. 25, 2024. Available: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm. [Accessed: Jan. 26, 2024]