Cisco recently resolved a significant security vulnerability in the Unity Connection. Unity Connection is a fully virtualized messaging and voicemail service that works across several platforms, including email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, cellphones, and tablets.
Background:
The vulnerability, CVE-2024-20272, was discovered in the software’s web-based management interface and might allow unauthenticated attackers to gain root privileges on unpatched devices.
CVE-2024-20272:
The vulnerability, tracked as CVE-2024-20272, has a CVSS score of 7.3, despite Cisco categorizing it as critical. Importantly, it is non-local, requiring no authentication, credentials, or user interaction.
The vulnerability is caused by a lack of authentication in a specific API and incorrect validation of user-supplied data. Attackers can take advantage of this vulnerability by uploading arbitrary files to the target machine, allowing them to run commands on the underlying operating system. If successfully abused, the attacker might place malicious files on the system, run arbitrary commands, and gain root access.
Cisco has issued software updates to rectify this vulnerability, and there are no available workarounds to mitigate it.
Affected Versions:
| Cisco Unity Connection Release | First Fixed Release |
|---|---|
| 12.5 and earlier | 12.5.1.19017-41 |
| 14 | 14.0.1.14006-51 |
| 15 | Not vulnerable |
Recommendations:
Fortunately, Cisco discovered no indication of public proof-of-concept attacks or ongoing exploitation in the wild. Nonetheless, the company recommends customers apply the offered fixes as soon as possible.
References:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD