CVE-2024-20272: Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability

HawkEye CSOC Dubai

Cisco recently resolved a significant security vulnerability in the Unity Connection. Unity Connection is a fully virtualized messaging and voicemail service that works across several platforms, including email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, cellphones, and tablets.

Background:

The vulnerability, CVE-2024-20272, was discovered in the software’s web-based management interface and might allow unauthenticated attackers to gain root privileges on unpatched devices.

CVE-2024-20272:

The vulnerability, tracked as CVE-2024-20272, has a CVSS score of 7.3, despite Cisco categorizing it as critical. Importantly, it is non-local, requiring no authentication, credentials, or user interaction.

The vulnerability is caused by a lack of authentication in a specific API and incorrect validation of user-supplied data. Attackers can take advantage of this vulnerability by uploading arbitrary files to the target machine, allowing them to run commands on the underlying operating system. If successfully abused, the attacker might place malicious files on the system, run arbitrary commands, and gain root access.

Cisco has issued software updates to rectify this vulnerability, and there are no available workarounds to mitigate it.

Affected Versions:

Cisco Unity Connection ReleaseFirst Fixed Release
12.5 and earlier12.5.1.19017-41
1414.0.1.14006-51
15Not vulnerable

Recommendations:

Fortunately, Cisco discovered no indication of public proof-of-concept attacks or ongoing exploitation in the wild. Nonetheless, the company recommends customers apply the offered fixes as soon as possible.

References:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment