Unified CM and Unity Connection remote code execution and file upload vulnerabilities (CVE-2024-20253 and CVE-2024-20272)

Advisory No: TZCERT/SA/2024/02/02

Date of First Release: 2^nd February 2024

Source: Cisco

Software Affected:

• Unified CM, Unified CM SME, Unified CM IM&P and Unity Connection

Overview:

Unified CM and Unity Connection are affected by vulnerabilities tracked as CVE-2024-20253 which could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device and CVE-2024-20272 which allows remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system respectively.

Description:

CVE-2024-20253 is resulting from the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a special crafted message to a listening port of an affected device. With access to the underlying operating system, the attacker could also establish root access. CVE-2024-20272 that affects Cisco Unit Connection is due to lack of authentication in a specific API and improper validation of user-supplied data which allows the attacker to upload arbitrary files to an affected system, execute arbitrary commands on the operating system upon successful exploitation, and elevate privileges to root.

Impact:

Successful exploitation of these vulnerabilities may allow the remote attacker to take control of the affected system.

Solution:

Cisco has released security updates to resolve these vulnerabilities. Users and administrations are encouraged to update as soon as possible.

References:

1. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm
2. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD