Cisco Fixes a Critical Flaw in Unified CCMP and Unified CCDM

Cisco fixed a critical privilege escalation vulnerability, tracked as CVE-2022-20658, in Unified CCMP and Unified CCDM.On the other hand, unofficial updates have been released for the RemotePoato0 vulnerability, which Microsoft did not update.

“The good news is that the IT giant is not aware of attacks in the wild exploiting this vulnerability.” (Source: Security News)

How Does the Vulnerability Affect?

The critical vulnerability with code CVE-2022-20658 and a criticality level of 9.6 in the web-based interface of Cisco‘s Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) platforms allows an authenticated remote attacker to Allows you to elevate privileges to “Administrator.”

The security vulnerability in question is because user permissions are not validated on the server-side. Threat actors can exploit the vulnerability by sending a prepared HTTP request to a vulnerable system. A successful exploit could allow threat actors to create “Administrator” accounts.

With these accounts, attackers can access and modify phone and user resources on all Unified platforms associated with the vulnerable Cisco Unified CCMP. However, actors need valid “Advanced User” credentials to exploit the vulnerability.

In addition, RemotePotato0, which Microsoft did not update, is based on an NTLM pass-through attack. The Windows NT LAN Manager (NTLM) authentication protocol authenticates remote users and provides session security when requested by application protocols.

The vulnerability, which allows cyber threat actors to trigger authenticated RPC/DCOM calls, can successfully transfer NTML authentication to other protocols, granting them elevated privilege in the targeted domain. Thus, attackers can become domain administrators.

Which Versions Does the Vulnerability Affect?

Versions affected by the vulnerability with code CVE-2022-20658 include versions 11.6.1 ES17, 12.0.1 ES5, and 12.5.1 ES5 of Unified CCMP/Unified CCDM. Cisco says it is not aware of the vulnerability used in malicious attacks.

NTML is still used on Windows servers, although Kerberos replaces NTLM, the default authentication protocol for domain-attached devices in all Windows 2000 and later.