What is the critical vulnerability announced by Cisco?

Cisco has issued a critical warning for a remote code execution vulnerability, tracked as CVE-2024-20253 with a CVSS score of 9.9, affecting several of its unified communications products, including Packaged Contact Center Enterprise, Unified Communications Manager, and others.

What are the fixed versions released by Cisco for this vulnerability?

Cisco has released fixed versions for the affected products. For example, for Unified Communications Manager and Session Management Edition, the fixed releases start from 12.5(1)SU8. Cisco advises migrating to these fixed releases to secure the systems against the vulnerability.

What mitigation measures does Cisco suggest for the CVE-2024-20253 vulnerability?

As a mitigation measure, Cisco suggests implementing access control lists to isolate the affected Unified Communications products from users and the rest of the network, allowing access only to the ports of deployed services.

Advisory

Cisco patches critical flaw in Unified Communications Products

Q: What does the CVE-2024-20253 vulnerability allow?

The CVE-2024-20253 vulnerability allows attackers to execute arbitrary commands on the underlying operating system of affected devices, potentially gaining root access. It arises from improper processing of user-provided data in memory.

published: Jan. 24, 2024

Take action: If you are using Unified Communications Products, it's time to check whether they are properly segregated. Then patch as soon as possible.

Learn More

Cisco has issued a critical warning regarding a remote code execution (RCE) vulnerability, tracked as CVE-2024-20253 (CVSS score 9.9 , affecting several of its unified communications products, including:

Packaged Contact Center Enterprise (PCCE) (CSCwe18830)
Unified Communications Manager (Unified CM) (CSCwd64245)
Unified Communications Manager IM & Presence Service (Unified CM IM&P) (CSCwd64276)
Unified Communications Manager Session Management Edition (Unified CM SME) (CSCwd64245)
Unified Contact Center Enterprise (UCCE) (CSCwe18830)
Unified Contact Center Express (UCCX) (CSCwe18773)
Unity Connection (CSCwd64292)
Virtualized Voice Browser (VVB) (CSCwe18840)

This vulnerability allows attackers to execute arbitrary commands on the underlying operating system of affected devices, potentially gaining root access. The vulnerability arises from improper processing of user-provided data in memory.

Cisco has released fixed versions and advises implementing of the patched versions

Unified CM and Unified CM SME: CSCwd64245

Cisco Unified CM and Unified CM SME Release	First Fixed Release
11.5(1)	Migrate to a fixed release.
12.5(1)	12.5(1)SU8 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512
14	14SU3 or ciscocm.v1_java_deserial-CSCwd64245.cop.sha512
15	Not vulnerable.

Unified CM IM&P: CSCwd64276

Cisco Unified CM IM&P Release	First Fixed Release
11.5(1)	Migrate to a fixed release.
12.5(1)	12.5(1)SU8 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512
14	14SU3 or ciscocm.cup-CSCwd64276_JavaDeserialization.cop.sha512
15	Not vulnerable.

Unity Connection: CSCwd64292

Cisco Unity Connection Release	First Fixed Release
11.5(1)	Migrate to a fixed release.
12.5(1)	12.5(1)SU8 or ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512
14	14SU3 or ciscocm.cuc.v1_java_deserial-CSCwd64292.k4.cop.sha512
15	Not vulnerable.

PCCE and UCCE: CSCwe18830

Cisco PCCE and UCCE Release	First Fixed Release
12.0 and earlier	Migrate to a fixed release.
12.5(1) and 12.5(2)	ucos.v1_java_deserial-CSCwd64245.cop.sgn
15	Not vulnerable.

UCCX: CSCwe18773

Cisco UCCX Release	First Fixed Release
12.0 and earlier	Migrate to a fixed release.
12.5(1)	ucos.v1_java_deserial-CSCwd64245.cop.sgn
15	Not vulnerable.

VVB: CSCwe18840

Cisco VVB Release	First Fixed Release
12.0 and earlier.	Migrate to a fixed release.
12.5(1) and 12.5(2)	ucos.v1_java_deserial-CSCwd64245.cop.sgn
15	Not vulnerable.

As a mitigation measure, Cisco suggests establish isolating the Ciscu Unified Comms products from the from users and the rest of the network with access control lists to allow access only to the ports of deployed services.

Cisco patches critical flaw in Unified Communications Products

Read More
HPE fixes critical flaw in 3PAR service processor …
ServiceNow fixes vulnerabilities in Now Platform
Salesforce patches five vulnerabilities in Industry Cloud Components
MongoDB high severity flaw allows unauthenticated memory access …
WatchGuard Firebox vulnerability allows remote code execution