Article

Cisco Collaboration Server flaw could allow remote attacks

Jim Rendon, News Writer

Last night Cisco Systems Inc. revealed a vulnerability with a customer service product that enables businesses to interact with customers using Web-based chat and voice communications. The flaw could open up enterprises to attacks from remote users.

Cisco Collaboration Server version 3 and 4 and the related Servlet Exec 2 and 3 are all vulnerable.

Vendors operating on the Web use the product to allow customers to click on a button in an online Web form and initiate a chat session with a customer service agent. It also integrates voice communication via voice over Internet Protocol or traditional voice systems.

However, the product allows anyone with access to the server to upload and execute files. Because users can bypass proper authentication procedures and execute files rather than simply view them, anyone using Cisco Collaboration Server could potentially take control of the collaboration system, said Thomas Kristensen, chief technology officer with Secunia, a Copenhagen, Denmark-based security information clearinghouse that publicized the flaw after Cisco posted it to its own site.

Cisco's advisory asks that businesses upgrade their collaboration server to version 5, or version 4 with a patch. The company also provides workarounds for those who do not want to upgrade.

Cisco could not be reached for comment.

    Requires Free Membership to View

    Login

For more information

View Cisco's Collaboration Server security advisory.

 

Read our exclusive: On security, is Cisco the next Microsoft?
"Cisco is not a software company, though it thinks it is," said Dan Golding, a senior analyst with the Midvale, Utah-based Burton Group. He noted Cisco has had trouble with several software products in the past. Though those problems have generally not been security related, Golding said Cisco's software products are often not up to par with the rest of the industry.

Golding said that many talented software engineers leave Cisco because their skills are not as valued as those who work on Cisco's routers and switches. The result is that Cisco's software products are often meant to fill out a product portfolio, but are not as useful as they might be.

Matt Moore of Pentest Ltd., a U.K.-based organization, discovered the vulnerability. Kristensen said that it is likely that Moore discovered the vulnerability months ago and Cisco did not publicize it until a fix had been developed, a common approach to such vulnerabilities.


Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top