Cisco on Wednesday announced patches for multiple vulnerabilities across its products, including a high-severity bug in its enterprise collaboration solutions.
Tracked as CVE-2024-20375, the high-severity issue (CVSS score of 8.6) impacts the SIP call processing function of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and can be exploited remotely, without authentication.
Improper parsing of SIP messages could allow an attacker to send crafted packets to the affected products and cause the device to reload, leading to a denial-of-service (DoS) condition.
According to Cisco, there are now workarounds for this bug, but Unified CM and Unified CM SME versions 12.5(1)SU9, 14SU4, and 15SU1 contain patches for it.
The tech giant has credited the US National Security Agency (NSA) for reporting CVE-2024-20375 and notes that it is not aware of the security defect being exploited in the wild.
On Wednesday, the company also updated its advisory on CVE-2024-6387, the OpenSSH vulnerability known as regreSSHion, with additional information on the released and planned fixes for Cisco products found to be vulnerable.
Additionally, Cisco published four advisories detailing medium-severity bugs in Identity Services Engine (ISE), Unified CM, and Unified CM SME.
Three of these security defects were found in Cisco ISE, including a blind SQL injection via REST API calls, an information disclosure, and a cross-site request forgery (CSRF).
Advertisement. Scroll to continue reading.
The fourth issue impacts the web-based management interface of Unified CM and Unified CM SME, and could allow remote, unauthenticated attackers to perform a cross-site scripting (XSS) attack and execute arbitrary script code in the context of the interface.
The company says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on Cisco’s security advisories page.