Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 7+] Cisco Addresses Root Privilege-Escalation

Executive Summary

Cisco addressed 12 vulnerabilities in January. One of the vulnerabilities, CVE-2024-20272, identified in Cisco’s Unity Connection software is classified as high-severity. It has the potential to enable an unauthenticated remote attacker to obtain root privileges on vulnerable devices.

Also, proof-of-concept exploit code is available for a medium-severity command injection vulnerability in the end-of-life Cisco WAP371 Wireless-AC/N Dual Radio Access Point.

Organisations using Cisco products should promptly review Cisco’s advisories, prioritise updates based on risk, and stay vigilant against potential exploits.

Provided below is a summary of Cisco’s recent advisories. Additionally, please refer to Cisco’s security advisory list for detailed information on the security fixes.

CVE-2024-20272

CVE-2024-20272, with a CVSS score of 7.3, affects the web-based management interface of Cisco Unity Connection, a messaging platform and voicemail system. This vulnerability allows an unauthenticated, remote attacker to upload arbitrary files to an affected system and potentially gain root privileges on vulnerable devices. Please refer to Cisco’s security advisory for the vulnerability details and fixes.

Medium-Severity Vulnerabilities

Cisco also resolved 11 medium-severity vulnerabilities across its various software products. These included issues in the Identity Services Engine, WAP371 Wireless Access Point, ThousandEyes Enterprise Agent, and TelePresence Management Suite (TMS).

It is important to mention that proof-of-concept exploit code is available online for one of those, which Cisco acknowledges. This vulnerability, tracked as CVE-2024-20287, is a command injection vulnerability found in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point. It has a CVSS score of 6.5. Attackers could exploit it to execute arbitrary commands with root privileges, but administrative credentials are also required for successful exploitation.

Cisco has stated that it will not release firmware updates to patch this security flaw because the WAP371 device has reached end-of-life, and it advises customers to migrate to the Cisco Business. Please refer to Cisco’s security advisory for the details.

Critical Security Fix of Cisco in December

Cisco released a patch for Identity Services Engine (ISE) to address CVE-2023-50164 in late December. It is a critical Remote Code Execution (RCE) vulnerability in Struts, with a CVSS score of 9.8.

Apache had fixed it earlier in December. Please note that a proof-of-concept exploit code is available for the vulnerability and experts have observed exploit attempts for it. Please refer to our prior articles for more information about this vulnerability.

Call for Action

We advise organisations to act swiftly in response to Cisco’s recently disclosed vulnerabilities. It is crucial to review the advisories, prioritise vulnerabilities based on their risk, and apply necessary updates, especially those for which proof-of-concept exploit codes are available. Additionally, please assess the impact on your systems and plan to migrate from end-of-life products like Cisco WAP371 to supported alternatives. Lastly, remain vigilant for any signs of exploitation attempts, especially for vulnerabilities with known proof-of-concept codes. Taking prompt and decisive actions is essential for maintaining network security and integrity.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.