Summary
A Cisco Security Advisory was released on October 4th, 2023, regarding CVE-2023-20101. This vulnerability has a CVSS 3.1 base score of 9.8, marking it as critical. It affects the ‘Cisco Emergency Responder Release 12.5(1)SU4’ within their Unified Communications Manager. This vulnerability enables an unauthenticated remote attacker to log in to an affected device with root-level privileges.
Impact Assessment
CVE-2023-20101 is characterized by a low attack complexity, requiring no user interaction for exploitation and providing unauthorized access to root permissions on the device. These characteristics pose a significant security risk, as they enable attackers to remotely manipulate the device as they see fit.
What It Means for You
Exploiting this vulnerability can have severe consequences, including the compromise of your device and the potential for disabling the availability of critical services. If this vulnerability is successfully exploited, the attacker gains root privileges on the device, jeopardizing all associated data and accounts, with the risk of data exfiltration. Additionally, the use of a life-saving feature, Cisco Emergency Responder, may become compromised. This software plays a vital role in identifying the precise location of 9-1-1 callers through the 9-1-1 functionality in Cisco Unified Communications Manager. It ensures that when this feature is activated, emergency services receive the caller's exact location and can track it automatically. This compliance with legal and regulatory obligations reduces the liability risk associated with emergency calls."
Remediation
According to the Cisco Security Advisory there are no workarounds, but you can update to version 12.5(1)SU5 of this software to remediate the vulnerability.
Business Implications
Having a vulnerable version of this software in your device inventory can lead to serious consequences, not only if the vulnerability is exploited but also because its presence may jeopardize your legal and regulatory obligations. This vulnerability impacts a critical life-saving feature designed to reduce liability associated with emergency calls. If a user's device with this vulnerability is exploited, and they attempt to make a 9-1-1 call through Cisco Unified Communications Manager, an unsuccessful call could potentially lead to liability for your organization due to non-patching. This risk is heightened by Kari’s Law and Ray Baum’s Act, which mandate direct 911 dialing, routing calls to the nearest 911 Public Safety Answering Point and notifying a secondary party during emergency calls. If your organization relies on this service to comply with these laws, it may be at risk due to this vulnerability.
Access Point Technology Recommends
To stay compliant with current statutes and ensure device security, Access Point Technology recommends you take the following actions:
- Application of the emergency patch is recommended due to the software affected and the severity of the vulnerability.
- Ensure compliance with Kari’s Law and RAY BAUMS act regarding Multi-line Telephone Systems.
Associated Bulletins
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cer-priv-esc-B9t3hqk9
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-20101
https://www.cisco.com/c/en/us/products/unified-communications/unified-communications-manager-callmanager/index.html
https://www.fcc.gov/mlts-911-requirements
.webp)
.png)
