Data breach notification in Canada

For the second time in a week CISOs with products from Cisco Systems are being warned of a problem, this time from the vendor itself.

The company said in an advisory that organizations using the its Prime Collaboration Assurance software for managing the installation and maintenance of Cisco Unified Communications and TelePresence components  as well as user provisioning need to install updates immediately.

The problems include a Web framework access controls bypass vulnerability, a session ID privilege escalation vulnerability and an information disclosure vulnerability.
Successful exploitation of the first two bugs could allow an authenticated attacker to perform tasks with the privileges of an administrator for any domain or customer managed by the affected system, says Cisco.

Successful exploitation of the information disclosure vulnerability could allow an authenticated attacker to access sensitive information, such as Simple Network Management Protocol (SNMP) community strings and administrative credentials, of any devices imported in the system database.

In all three cases Cisco said the vulnerability is due to improper implementation of the software’s authorization and access controls. An attacker would have to be logged in to the system to exploit the bugs.

The fix is in Cisco Prime Collaboration Assurance Software Release 10.5.1 MSP patch cpc-assurance-patchbundle- and Release 11.0 and later. There is currently no fixed release for Cisco Prime Collaboration Assurance Software Release 10.6 or Release 10.5 ENT.

Earlier this week network admins with Cisco [Nasdaq: CSCO] routers running its IOS operating system were warned that an attacker stealing administrator credentials could install a modified version of the OS that includes a backdoor, allowing entry to an organization’s systems.