U.S. Center for Internet Security Alert Level
GUARDED: indicates a general risk of increased hacking, virus, or other malicious activity.
From the Center for Internet Security, “The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.”
CVE-2020-3280 Cisco RCE Flaw in Call Center Solution
Zeljka Zorz of Help Net Security is reporting that, “Cisco has patched a critical RCE vulnerability in Cisco’s Unified Contact Center Express.” RCE is an acronym for Remote Code Execution. She goes on to state that, “Threat Hunter, Brenden Meeder of Booz Allen Hamilton, discovered the vulnerability in the Java user interface (UI) of the Cisco UCCX solution.”
The vulnerability takes place when deserialization of user supplied data occurs. What is deserialization? Often, data is serialized as it’s passed between functions, objects, or exposed to other programming interfaces. Part of that process is to package that data into a single variable by concatenating the data together as a single string. It’s then passed to the receiving function, object, or programming interface. Once received it is deserialized. The contents of the string is parsed and then used at the receiving end. It’s sounds as if data sanitation was not taking place when the data was received and deserialized. Data sanitation is the process of inspecting and reformatting data such that it contains no inject-able code. Hence, the ability to perform Remote Code Execution (RCE). The Code Execution takes place as root so the code runs without restriction and on the targeted system.
Cisco is recommending an upgrade to 12.01ES03 or a variant of the 12.5 code base.
The flaw was privately disclosed and subsequently fixed prior to the vulnerability’s announcement. Cisco has released SNORT rules that identify and protect against the vulnerability.
In Related News
- CVE-2020-3175, Cisco MDS 9000 Series Switches Denial of Service Vulnerability
- CVE-2020-3280, Cisco Unified Contact Center Express Remote Code Execution Vulnerability
- CVE-2020-3272, Cisco Prime Network Registrar DHCP Denial of Service Vulnerability
- CVE-2020-3184, Cisco Prime Collaboration Provisioning Software SQL Injection Vulnerability
- CVE-2020-3314, Cisco AMP for Endpoints Mac Connector Software File Scan Denial of Service Vulnerability
- CVE-2020-3343 and CVE-2020-3344, Cisco AMP for Endpoints Linux Connector and AMP for Endpoints Mac Connector Software Memory Buffer Vulnerability
- CVE-2018-0233, Cisco Firepower Detection Engine Secure Sockets Layer Denial of Service Vulnerability
Signal Geo-location Vulnerability
Zeljka Zorz of Help Net Security is also reporting that, “Signal has fixed a vulnerability affecting its secure and encrypted communications application. Actors were able to discover and track a user’s location.”
In the opinion of Cyber Defense Contractors, “This is big news as the app is designed for private communications without the expectation that a user’s location would be revealed.”
It appears that Signal uses a fork of the WebRTC protocol for their voice and video communications. While the call is being set up a DNS server is being queried. Depending on the DNS server used this can reveal a user’s location down to the city the user is in. This exposure takes place whether a party chooses to take the call or not. Again, it’s happening during the initial call set up.
- Abusing WebRTC to Reveal Course Location Data in Signal
- Help Net Security, Signal
- Signal Home Page
- Signal, Introducing Signal Pins