Atos Unify OpenScape reports maximum severity critical vulnerability

A critical security vulnerability, tracked as CVE-2023-6269 (CVSS3 score 10) - a maximum CVSS score, has been reported within Atos Unify's OpenScape suite, impacting the OpenScape SBC, Branch, and BCF products. Atos Unify OpenScape is a comprehensive suite of communication and collaboration tools developed by Atos Unify. It integrates various communication channels like voice, video, messaging, and conferencing into a unified platform. OpenScape offers advanced IP telephony, conferencing tools, contact center solutions, and mobility support.

This flaw, identified as an argument injection issue, enables unauthorized individuals to circumvent the administrative web interfaces, potentially executing arbitrary code and gaining root access through SSH, thereby compromising the entire system.

The vulnerability arises due to the administrative web interface's failure to properly sanitize login credentials before they are processed by a user management application, creating a gateway for unauthorized control and access.

The products confirmed as vulnerable include several versions of Atos Unify OpenScape SBC, Branch, and BCF, specifically those preceding the latest updates. The versions at risk are:

• OpenScape SBC prior to V10 R3.4.0
• OpenScape Branch prior to V10 R3.4.0
• OpenScape BCF V10 before versions V10R10.12.00 and V10R11.05.02

For these affected versions, the respective updated versions are:

• OpenScape SBC V10 R3.4.0 or later
• OpenScape Branch V10 R3.4.0 or later
• OpenScape BCF V10R10.12.00 or later, and V10R11.05.02

Users of these systems are strongly advised to promptly update to the fixed versions to neutralize this threat. Moreover, several preventive measures have been recommended, such as disabling SSH access for low-privileged accounts, ensuring the root account is inaccessible via SSH, limiting external SSH access, and refraining from publicly exposing the administration interface of the affected systems.