Cisco has patched a critical remote code execution hole (CVE-2020-3280) in Cisco Unified Contact Center Express, its “contact center in a box” solution, and is urging administrators to upgrade to a fixed software version.
About the vulnerability (CVE-2020-3280)
Flagged by prolific bug hunter Brenden Meeder of Booz Allen Hamilton, CVE-2020-3280 is a vulnerability in the Java Remote Management Interface of the UCCX solution.
“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device,” Cisco explained.
There are no workarounds that address the vulnerability – only updating will fix it: either to v12.0(1)ES03 or the (not vulnerable) 12.5 version.
The good news is that the flaw was privately disclosed and consequently fixed, and that attackers aren’t currently exploiting it in the wild. Another piece of good news is that Cisco Talos released Snort rules for protecting against exploitation of the flaw.
According to Cisco, its Cisco Unified Contact Center – a solution for much larger customer contact centers – is not affected by CVE-2020-3280
Other flaws fixed
In the last couple of days, Cisco has also squashed two high-risk DoS vulnerabilities – one affecting its MDS 9000 Series Multilayer Switches and the other affecting Cisco Prime Network Registrar, a DNS, SHCP and IP address management appliance – and three of medium severity affecting Cisco Prime Collaboration Provisioning Software, Cisco AMP for Endpoints Mac Connector Software, and Cisco AMP for Endpoints Linux Connector Software.
Security advisories for each can be found here.