CVE-2024-20375
📋 TL;DR
An unauthenticated remote attacker can send a specially crafted SIP message to Cisco Unified Communications Manager systems, causing them to reload and creating a denial of service condition. This vulnerability affects voice and video communications that rely on these systems. All organizations running vulnerable versions of Cisco Unified CM or Unified CM SME are affected.
💻 Affected Systems
- Cisco Unified Communications Manager
- Cisco Unified Communications Manager Session Management Edition
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of all voice and video communications relying on the affected Unified CM system, potentially affecting emergency services, business operations, and customer communications.
Likely Case
Intermittent service disruptions affecting voice and video calls, voicemail, and other unified communications features until the system restarts.
If Mitigated
Limited impact with proper network segmentation and monitoring, though service interruptions may still occur during exploitation attempts.
🎯 Exploit Status
Exploitation requires sending a crafted SIP message to the vulnerable system. No authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple fixed versions available - refer to Cisco advisory
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-dos-kkHq43We
Restart Required: Yes
Instructions:
1. Review Cisco advisory for specific fixed versions. 2. Download appropriate patch from Cisco Software Center. 3. Apply patch following Cisco upgrade procedures. 4. Restart affected services or system as required.
🔧 Temporary Workarounds
Network Segmentation
allRestrict SIP traffic to trusted sources only using firewalls or access control lists
SIP Inspection
allImplement SIP message inspection and filtering using security appliances
🧯 If You Can't Patch
- Implement strict network segmentation to limit SIP traffic to trusted sources only
- Deploy intrusion prevention systems with SIP protocol anomaly detection capabilities
🔍 How to Verify
Check if Vulnerable:
Check current Unified CM version and compare against affected versions in Cisco advisoryCheck Version:
show version activeVerify Fix Applied:
Verify system is running a patched version from Cisco advisory and monitor for system reloads📡 Detection & Monitoring
Log Indicators:
- Unexpected system reloads
- SIP parsing errors
- Increased SIP message failures
Network Indicators:
- Unusual SIP traffic patterns
- SIP messages with malformed headers
- Multiple SIP requests from single source
SIEM Query:
source="unified-cm" AND (event_type="system_reload" OR message="SIP parsing error")