Cisco has recently addressed a significant security vulnerabilit in its Unity Connection softwarey, identified as CVE-2024-20272. This flaw poses a critical risk as it allows unauthenticated attackers to gain root privileges on affected systems. The update is already available and is recommended for installation as soon as possible.
Vulnerability in Cisco Unity Connection Allows for Root Access
The Unity Connection vulnerability, coded as CVE-2024-20272, is an arbitrary file upload bug discovered within the web-based management interface of Cisco Unity Connection. The vulnerability is primarily due to insufficient authentication in a specific API and improper validation of user-supplied data. Attackers could exploit this flaw by uploading arbitrary files to an affected system. This could enable them to store malicious files on the system, execute arbitrary commands and elevate their privileges to root level.
The vulnerability affects certain versions of the Cisco Unity Connection software (12.5 and earlier, and 14). But with version 15 not being susceptible. While there are no reports of the vulnerability being maliciously exploited in the wild, the seriousness of the flaw necessitates prompt action by users to apply the updates.
What is Unity Connection?
Cisco Unity Connection is a fully virtualized messaging and voicemail solution, widely used across various platforms. Those are email inboxes, web browsers, Cisco Jabber, smartphones, and tablets. The vulnerability’s critical nature stems from its potential impact on these systems, especially considering that Cisco solutions overall are frequently targeted by attackers.
Patch
Cisco has released software updates to mitigate this vulnerability for the affected versions of the Unity Connection software. The fixed versions are 12.5.1.19017-4 for version 12.5 and earlier, and 14.0.1.14006-5 for version 14.
| Cisco Unity Connection Release | First Fixed Release |
| 12.5 and earlier | 12.5.1.19017-4 |
| 14 | 14.0.1.14006-5 |
| 15 | Not vulnerable |
Additionally, Cisco patched ten medium-severity security vulnerabilities in multiple products. These issues could enable attackers to escalate privileges, launch cross-site scripting (XSS) attacks, and perform command injections. Among these, a command injection vulnerability identified as CVE-2024-20287 in the web-based management interface of Cisco’s WAP371 Wireless Access Point also drew attention. However, this particular vulnerability won’t be patched by Cisco as the WAP371 device reached its end-of-life in June 2019.
Users of Cisco’s products, particularly those in IT and network management, are advised to stay informed about these updates. They should apply the necessary patches to ensure the security and integrity of their systems and data.
