"Cisco Patches High-Severity Vulnerability Reported by NSA"

Cisco recently announced patches for multiple vulnerabilities across its products, including a high-severity bug in its enterprise collaboration solutions.  Tracked as CVE-2024-20375, the high-severity issue (CVSS score of 8.6) impacts the SIP call processing function of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and can be exploited remotely, without authentication.  Cisco noted that improper parsing of SIP messages could allow an attacker to send crafted packets to the affected products and cause the device to reload, leading to a denial-of-service (DoS) condition.  Cisco noted that there are no workarounds for this bug, but Unified CM and Unified CM SME versions 12.5(1)SU9, 14SU4, and 15SU1 contain patches for it.  The tech giant has credited the US National Security Agency (NSA) for reporting CVE-2024-20375 and notes that it is unaware of the security defect being exploited in the wild.  On Wednesday, the company also updated its advisory on CVE-2024-6387, the OpenSSH vulnerability known as regreSSHion, with additional information on the released and planned fixes for Cisco products found to be vulnerable.

SecurityWeek reports: "Cisco Patches High-Severity Vulnerability Reported by NSA"