Last night Cisco Systems Inc. revealed a vulnerability with a customer service product that enables businesses to interact with customers using Web-based chat and voice communications. The flaw could open up enterprises to attacks from remote users.
Cisco Collaboration Server version 3 and 4 and the related Servlet Exec 2 and 3 are all vulnerable.
Vendors operating on the Web use the product to allow customers to click on a button in an online Web form and initiate a chat session with a customer service agent. It also integrates voice communication via voice over Internet Protocol or traditional voice systems.
However, the product allows anyone with access to the server to upload and execute files. Because users can bypass proper authentication procedures and execute files rather than simply view them, anyone using Cisco Collaboration Server could potentially take control of the collaboration system, said Thomas Kristensen, chief technology officer with Secunia, a Copenhagen, Denmark-based security information clearinghouse that publicized the flaw after Cisco posted it to its own site.
Cisco's advisory asks that businesses upgrade their collaboration server to version 5, or version 4 with a patch. The company also provides workarounds for those who do not want to upgrade.
Cisco could not be reached for comment.
Golding said that many talented software engineers leave Cisco because their skills are not as valued as those who work on Cisco's routers and switches. The result is that Cisco's software products are often meant to fill out a product portfolio, but are not as useful as they might be.
Matt Moore of Pentest Ltd., a U.K.-based organization, discovered the vulnerability. Kristensen said that it is likely that Moore discovered the vulnerability months ago and Cisco did not publicize it until a fix had been developed, a common approach to such vulnerabilities.