Critical Cisco Bug in Unified CCX Allows Remote Code Execution

cisco ccx critical rce bug

Cisco has fixed a critical remote code-execution flaw in its popular customer interaction management solution.

Cisco has hurried out a fix out for a critical remote code-execution flaw in its customer interaction management solution, Cisco Unified Contact Center Express (CCX).

Cisco’s Unified CCX software is touted as a “contact center in a box” that allows companies to deploy customer-care applications. The flaw (CVE-2020-3280), which has a CVSS score of 9.8 out of 10, stems from the Java Remote Management Interface of the product.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software,” according to Cisco, in a Wednesday security alert. “An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device.”

An unauthenticated, remote attacker could exploit this flaw to execute arbitrary code on an affected device. Those who are using Cisco Unified CCX version 12.0 and earlier are urged to update to the fixed release, 12.0(1)ES03. Version 12.5 is not vulnerable, according to Cisco.

Cisco is not aware of any public announcements or malicious use of the flaw, according to the update. The tech giant on Wednesday also released a patch addressing a high-severity flaw (CVE-2020-3272) in its Prime Network Registrar, which enables dynamic host configuration protocol (DHCP) services (as well as DNS services).

The flaw stems from insufficient input validation of incoming DHCP traffic. It exists in the DHCP server and could enable an unauthenticated, remote attacker to trigger a denial of service (DoS) attack on an affected device.

“An attacker could exploit this vulnerability by sending a crafted DHCP request to an affected device,” according to Cisco. “A successful exploit could allow the attacker to cause a restart of the DHCP server process, causing a DoS condition.”

Also fixed were several medium-severity flaws, including a SQL injection flaw in Cisco’s Prime Collaboration Provisioning Software (CVE-2020-3184), a DOS flaw in Cisco AMP for Endpoints Mac Connector Software (CVE-2020-3314) and memory buffer flaws (CVE-2020-3343, CVE-2020-3344) in Cisco AMP for Endpoints Linux Connector Software and Cisco AMP for Endpoints Mac Connector Software.

Earlier this month, Cisco also stomped out 12 high-severity vulnerabilities affecting Cisco’s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network-security devices. The flaws can be exploited by unauthenticated remote attackers to launch an array of attacks – from denial of service (DoS) to sniffing out sensitive data.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.

Suggested articles