Identified as CVE-2024-20253, a new critical Remote Code Execution (RCE) vulnerability has been revealed, posing a significant threat to Cisco Unified Communications and Contact Center Solutions products. Details of the vulnerability, its potential impact, affected products, and mitigation strategies will be introduced in this post.
Here’s what you need to know:
What is CVE-2024-20253?
The Cisco Unified Communications RCE Vulnerability CVE-2024-20253 vulnerability, with a severity score of 9.9, stems from improper processing of user-supplied data in Cisco Unified Communications products. An attacker, through a crafted message to an affected device’s listening port, could exploit this flaw. The result is the ability to execute arbitrary commands on the underlying operating system with the privileges of the web services user. In the worst-case scenario, this could lead to gaining root access to the affected device.
Does CVE-2024-20253 affect me?
The vulnerability impacts several Cisco Unified Communications and Contact Center Solutions products in their default configuration. The affected products include:
- Unified Communications Manager (Unified CM)
- Unified Communications Manager IM & Presence Service (Unified CM IM&P)
- Unified Communications Manager Session Management Edition (Unified CM SME)
- Unified Contact Center Express (UCCX)
- Unity Connection
- Virtualized Voice Browser (VVB)
As confirmed by Cisco, the vulnerability has no effect on any of the following Cisco products:
- Customer Collaboration Portal (CCP), formerly SocialMiner
- Customer Voice Portal (CVP)
- Emergency Responder (CER)
- Hosted Collaboration Mediation Fulfillment (HCM-F)
- Packaged Contact Center Enterprise (PCCE)
- Prime Collaboration Deployment (PCD)
- Prime License Manager (PLM)
- Remote Expert Mobile
- Unified Contact Center Domain Manager (CCDM)
- Unified Contact Center Enterprise (UCCE)
- Unified Contact Center Management Portal (Unified CCMP)
- Unified Intelligence Center (CUIC)
For specific versions affected, users are advised to refer to the official Cisco advisory.
Has CVE-2024-20253 been actively exploited in the wild?
As of the latest information available, there is no evidence of public announcements or malicious use of CVE-2024-20253. However, given the critical nature of the vulnerability, organizations are urged to stay vigilant and apply necessary security precautions.
How to fix CVE-2024- 20253?
In its Advisory for this vulnerabilty, Cisco recommends the following mitigation method:
Set up Access Control Lists (ACLs): Implement ACLs on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the network. These ACLs should exclusively grant access to the ports of deployed services.
Cisco also emphasizes the importance of assessing the applicability and effectiveness of the mentioned mitigation method in specific environments. Furthermore, they caution against implementing any workarounds or mitigations without a thorough evaluation of their potential impact.
In addition to the mitigation provided, organizations are advised to adhere to the best practices outlined in:
- Security Guide for Cisco Unified Communications Manager
- Security Guide for Cisco Unified ICM/Contact Center Enterprise
Cisco has released free software updates addressing the vulnerability. Customers with service contracts, enabling regular software updates, are encouraged to obtain security fixes through their standard update channels as per the indications in Cisco Security Advisories page.
It’s essential to note that customers are entitled to install and receive support for software versions and feature sets covered by their purchased license. By engaging with, downloading, accessing, or utilizing these software upgrades, customers implicitly agree to adhere to the terms specified in the Cisco software license.
Moreover, customers are only permitted to download software for which they possess a valid license obtained directly from Cisco or an authorized reseller or partner. Typically, this involves a maintenance upgrade for previously purchased software. Importantly, free security software updates do not grant customers a new software license, additional feature sets, or major revision upgrades.
For comprehensive information on licensing and downloads, customers can visit the Cisco Support and Downloads page on Cisco.com. This page also facilitates the display of customer device support coverage for those utilizing the My Devices tool.
For further information, you can also visit the latest Port Utilization Guide for Cisco Unified Contact Center Solutions or the System Configuration Guide for Cisco Unified Communications Manager, Release 14 and SUs under the Cisco Unified Communications Manager TCP and UDP Port Usage Overview section, or the version that corresponds with the deployed release
Additionally, follow the best practices that are described in the latest Security Guide for Cisco Unified Communications Manager or the latest Security Guide for Cisco Unified ICM/Contact Center Enterprise.
Although this mitigation has been successfully applied and validated in a controlled testing environment, it is crucial for customers to assess its relevance and effectiveness within their unique operational contexts. It’s essential to note that any implemented workaround or mitigation may have adverse effects on network functionality or performance, depending on individual deployment scenarios and constraints. Therefore, customers are strongly advised against deploying any workarounds or mitigations without conducting a thorough evaluation of their specific environment and understanding the potential impacts.
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: