Cisco: Critical Java flaw strikes ‘call center in a box’, patch urgently
Organizations using Cisco’s call-center platform, Unified Contact Center Express (Unified CCX), should update the software urgently, Cisco has warned.
The company has released updates for the Unified CCX platform to address a critical deserialization vulnerability in its Java-based remote management interface, which could allow a remote attacker without credentials to install malware on the device.
Cisco describes Unified CCX as a “‘contact center in a box’ that provides a secure and easy to deploy customer interaction management solution for up to 400 agents”.
Brenden Meeder, a security expert from Edward Snowden’s former employer, Booze Allen Hamilton, found he could compromise Unified CCX systems from afar by sending a malicious serialized Java object to the remote management interface.
“A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device,” Cisco warns.
Cisco says the bug doesn’t affect the bigger Cisco Unified Contact Center, which supports contact centers with up to 24,000 agents.
To address the bug, Cisco is urging customers on Unified CCX major releases earlier than 12.0 and those on a 12.0 release to migrate to release 12.0(1)ES03. Unified CCX 12.5 is not vulnerable.
The vulnerability is being tracked as CVE-2020-3280 and has a CVSS severity score of 9.8 out of a possible 10.
However Cisco’s Product Security Incident Response Team (PSIRT) said it wasn’t aware of any attacks in the wild on this flaw.
Cisco also released updates to fix a high-severity denial-of-service vulnerability affecting the DHCP server of Cisco Prime Network Registrar.
There are two more recently fixed medium-severity flaws that were addressed, including an SQL injection affecting the web-based management interface of Cisco Prime Collaboration Provisioning Software, and a denial-of-service flaw affecting the file scan process of Cisco AMP for Endpoints Mac Connector Software.