Cisco has produced patches to deal with a critical security flaw impacting Unified Communications and Get in touch with Heart Alternatives products that could permit an unauthenticated, distant attacker to execute arbitrary code on an impacted machine.
Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue stems from improper processing of user-delivered information that a menace actor could abuse to send out a specifically crafted concept to a listening port of a susceptible equipment.
“A productive exploit could allow for the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web solutions consumer,” Cisco stated in an advisory. “With accessibility to the fundamental running method, the attacker could also establish root access on the impacted machine.”
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Synacktiv security researcher Julien Egloff has been credited with exploring and reporting CVE-2024-20253. The subsequent goods are impacted by the flaw –
- Unified Communications Manager (versions 11.5, 12.5(1), and 14)
- Unified Communications Manager IM & Presence Service (variations 11.5(1), 12.5(1), and 14)
- Unified Communications Manager Session Management Version (variations 11.5, 12.5(1), and 14)
- Unified Make contact with Middle Categorical (versions 12. and before and 12.5(1))
- Unity Relationship (variations 11.5(1), 12.5(1), and 14), and
- Virtualized Voice Browser (versions 12. and previously, 12.5(1), and 12.5(2))
Even though there are no workarounds that handle the shortcoming, the networking gear maker is urging consumers to established up obtain manage lists to limit entry exactly where implementing the updates is not right away attainable.
“Build obtain handle lists (ACLs) on middleman devices that different the Cisco Unified Communications or Cisco Speak to Centre Answers cluster from users and the rest of the network to permit entry only to the ports of deployed companies,” the enterprise claimed.
The disclosure comes weeks immediately after Cisco delivered fixes for a critical security flaw impacting Unity Connection (CVE-2024-20272, CVSS rating: 7.3) that could allow an adversary to execute arbitrary instructions on the underlying method.
Located this report attention-grabbing? Follow us on Twitter and LinkedIn to browse more special articles we write-up.
Some elements of this article are sourced from:
thehackernews.com