Cisco: Critical Java flaw strikes 'call center in a box', patch urgently

Mid-sized companies with Cisco's call-center product need to patch a critical, remotely exploitable flaw.
Written by Liam Tung, Contributing Writer

Organizations using Cisco's call-center platform, Unified Contact Center Express (Unified CCX), should update the software urgently, Cisco has warned. 

The company has released updates for the Unified CCX platform to address a critical deserialization vulnerability in its Java-based remote management interface, which could allow a remote attacker without credentials to install malware on the device. 

Cisco describes Unified CCX as a "'contact center in a box' that provides a secure and easy to deploy customer interaction management solution for up to 400 agents".

SEE: Cybersecurity: Let's get tactical (free PDF)    

Brenden Meeder, a security expert from Edward Snowden's former employer, Booze Allen Hamilton, found he could compromise Unified CCX systems from afar by sending a malicious serialized Java object to the remote management interface. 

"A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device," Cisco warns

Cisco says the bug doesn't affect the bigger Cisco Unified Contact Center, which supports contact centers with up to 24,000 agents. 

To address the bug, Cisco is urging customers on Unified CCX major releases earlier than 12.0 and those on a 12.0 release to migrate to release 12.0(1)ES03. Unified CCX 12.5 is not vulnerable. 

The vulnerability is being tracked as CVE-2020-3280 and has a CVSS severity score of 9.8 out of a possible 10.  

However Cisco's Product Security Incident Response Team (PSIRT) said it wasn't aware of any attacks in the wild on this flaw. 

SEE: Cisco virtual roundtable: How to solve the digital divide impacting remote workforces and online classrooms

Cisco also released updates to fix a high-severity denial-of-service vulnerability affecting the DHCP server of Cisco Prime Network Registrar. 

There are two more recently fixed medium-severity flaws that were addressed, including an SQL injection affecting the web-based management interface of Cisco Prime Collaboration Provisioning Software, and a denial-of-service flaw affecting the file scan process of Cisco AMP for Endpoints Mac Connector Software. 

More on Cisco and network security

  • Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching  
  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Cisco: Patch this critical firewall bug in Firepower Management Center  
  • Critical Cisco DCNM flaws: Patch right now as PoC exploits are released  
  • Cisco critical bugs: Nexus data center switch software needs patching now  
  • Cisco: All these routers have the same embedded crypto keys, so update firmware  
  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET
  • Editorial standards