A critical security flaw in Unity Connection has been patched by Cisco, which could allow unauthenticated attackers to remotely take over unpatched devices and obtain root privileges.
With high availability and redundancy support, Unity Connection is a fully virtualized messaging and voicemail solution for web browsers, smartphones, tablets, Cisco Jabber, Cisco Unified IP Phone, and email inboxes.
The software’s web-based management interface was found to have a vulnerability (CVE-2024-20272) that enables attackers to upload arbitrary files to targeted and vulnerable systems to execute commands on the underlying operating system.
“This vulnerability results from incorrect validation of user-supplied data and a lack of authentication in a particular API. According to Cisco, an attacker could take advantage of this vulnerability by uploading random files to a vulnerable system.
“A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root.”
Fortunately, Cisco has no proof of active exploitation in the wild or public proof of concept exploits for this vulnerability, according to the company’s Product Security Incident Response Team (PSIRT).
In addition, Cisco patched ten medium-severity security flaws in a variety of products today, which gave hackers the ability to execute commands, escalate privileges, and more.
According to the company, one of these vulnerabilities—a command injection vulnerability identified as CVE-2024-20287 in the web-based management interface of Cisco’s WAP371 Wireless Access Point—has proof-of-concept exploit code available online.
Administrator credentials are necessary for successful exploitation even though attackers could use this flaw to run arbitrary commands on unpatched devices with root privileges.
The Cisco WAP371 device reached end-of-life in June 2019, according to Cisco, so the company will not be releasing firmware updates to address the CVE-2024-20287 security vulnerability.
Customers who have a WAP371 device on their network are advised by the company to switch to the Cisco Business 240AC Access Point.
Additionally, Cisco patched two zero-day vulnerabilities in October (CVE-2023-20198 and CVE-2023-20273) that were used to compromise more than 50,000 IOS XE devices in a single week.
Cisco Addresses a High-Risk Flaw in Unity Connection Software
A serious security vulnerability affecting Unity Connection that could allow an adversary to run arbitrary commands on the underlying system has been fixed by Cisco with software updates.
A lack of authentication in a particular API and incorrect validation of user-supplied data result in the vulnerability, tracked as CVE-2024-20272 (CVSS score: 7.3), which is an arbitrary file upload bug present in the web-based management interface.
According to a Cisco advisory published on Wednesday, “an attacker could exploit this vulnerability by uploading arbitrary files to an affected system.” “A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root.”
The following Cisco Unity Connection versions are affected by the bug. Version 15 is not susceptible.
- 12.5 and preceding (Repaired in 126.96.36.19917-4
- 14 (Corrected in 188.8.131.5206-5 version)
Maxim Suslov, a security researcher, is recognized for having found and reported the vulnerability. Although Cisco does not mention the bug being exploited in the wild, users are encouraged to update to a fixed version to reduce potential risks.
Cisco has released updates to address 11 medium-severity vulnerabilities in its software, including Identity Services Engine, WAP371 Wireless Access Point, ThousandEyes Enterprise Agent, and TelePresence Management Suite (TMS), in addition to the patch for CVE-2024-20272.
Cisco, however, stated that the device has reached end-of-life (EOL) as of June 2019 and that it does not plan to release a fix for the command injection bug in WAP371 (CVE-2024-20287, CVSS score: 6.5). Rather, it suggests that users switch to the Cisco Business 240AC Access Point.