News Stay informed about the latest enterprise technology news and product updates.

Cisco Collaboration Server flaw could allow remote attacks

A flaw in Cisco's Collaboration Server could leave some enterprises open to attacks from remote users. One analyst says the vulnerability demonstrates that the networking giant's software is not up to par with the rest of the industry.

Last night Cisco Systems Inc. revealed a vulnerability with a customer service product that enables businesses to interact with customers using Web-based chat and voice communications. The flaw could open up enterprises to attacks from remote users.

Cisco Collaboration Server version 3 and 4 and the related Servlet Exec 2 and 3 are all vulnerable.

Vendors operating on the Web use the product to allow customers to click on a button in an online Web form and initiate a chat session with a customer service agent. It also integrates voice communication via voice over Internet Protocol or traditional voice systems.

However, the product allows anyone with access to the server to upload and execute files. Because users can bypass proper authentication procedures and execute files rather than simply view them, anyone using Cisco Collaboration Server could potentially take control of the collaboration system, said Thomas Kristensen, chief technology officer with Secunia, a Copenhagen, Denmark-based security information clearinghouse that publicized the flaw after Cisco posted it to its own site.

Cisco's advisory asks that businesses upgrade their collaboration server to version 5, or version 4 with a patch. The company also provides workarounds for those who do not want to upgrade.

Cisco could not be reached for comment.

For more information

View Cisco's Collaboration Server security advisory.


Read our exclusive: On security, is Cisco the next Microsoft?

"Cisco is not a software company, though it thinks it is," said Dan Golding, a senior analyst with the Midvale, Utah-based Burton Group. He noted Cisco has had trouble with several software products in the past. Though those problems have generally not been security related, Golding said Cisco's software products are often not up to par with the rest of the industry.

Golding said that many talented software engineers leave Cisco because their skills are not as valued as those who work on Cisco's routers and switches. The result is that Cisco's software products are often meant to fill out a product portfolio, but are not as useful as they might be.

Matt Moore of Pentest Ltd., a U.K.-based organization, discovered the vulnerability. Kristensen said that it is likely that Moore discovered the vulnerability months ago and Cisco did not publicize it until a fix had been developed, a common approach to such vulnerabilities.

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.