Cisco warns of vulnerabilities in communications management software

For the second time in a week CISOs with products from Cisco Systems are being warned of a problem, this time from the vendor itself.

The company said in an advisory that organizations using the its Prime Collaboration Assurance software for managing the installation and maintenance of Cisco Unified Communications and TelePresence components  as well as user provisioning need to install updates immediately.

The problems include a Web framework access controls bypass vulnerability, a session ID privilege escalation vulnerability and an information disclosure vulnerability.
Successful exploitation of the first two bugs could allow an authenticated attacker to perform tasks with the privileges of an administrator for any domain or customer managed by the affected system, says Cisco.

Successful exploitation of the information disclosure vulnerability could allow an authenticated attacker to access sensitive information, such as Simple Network Management Protocol (SNMP) community strings and administrative credentials, of any devices imported in the system database.

In all three cases Cisco said the vulnerability is due to improper implementation of the software’s authorization and access controls. An attacker would have to be logged in to the system to exploit the bugs.

The fix is in Cisco Prime Collaboration Assurance Software Release 10.5.1 MSP patch cpc-assurance-patchbundle- and Release 11.0 and later. There is currently no fixed release for Cisco Prime Collaboration Assurance Software Release 10.6 or Release 10.5 ENT.

Earlier this week network admins with Cisco [Nasdaq: CSCO] routers running its IOS operating system were warned that an attacker stealing administrator credentials could install a modified version of the OS that includes a backdoor, allowing entry to an organization’s systems.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web