Advisory No: TZCERT/SA/2024/02/02
Date of First Release: 2nd February 2024
Source: Cisco
Software Affected:
- Unified CM, Unified CM SME, Unified CM IM&P and Unity Connection
Overview:
Unified CM and Unity Connection are affected by vulnerabilities tracked as CVE-2024-20253 which could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device and CVE-2024-20272 which allows remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system respectively.
Description:
CVE-2024-20253 is resulting from the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a special crafted message to a listening port of an affected device. With access to the underlying operating system, the attacker could also establish root access. CVE-2024-20272 that affects Cisco Unit Connection is due to lack of authentication in a specific API and improper validation of user-supplied data which allows the attacker to upload arbitrary files to an affected system, execute arbitrary commands on the operating system upon successful exploitation, and elevate privileges to root.
Impact:
Successful exploitation of these vulnerabilities may allow the remote attacker to take control of the affected system.
Solution:
Cisco has released security updates to resolve these vulnerabilities. Users and administrations are encouraged to update as soon as possible.
References: