Last week Cisco issued security updates for the following products:
- Cisco Prime Collaboration Assurance: This software assists with the maintenance and installation of Cisco Unified Communications and Cisco TelePresence components as well as the provisioning of users and services.
- Cisco Prime Collaboration Provisioning Web Framework: Part of the above mentioned software
- Cisco TelePresence Server: This product provides video conferencing and interacts with Cisco Unified Communications Manager and other Cisco products.
These updates address elevation of privilege and remote code execution vulnerabilities in the above products.
Why Should These Issues Be Considered Important?
In the case of the issues with Prime Collaboration Assurance and Prime Collaboration Provisioning Web Framework the vulnerabilities could be exploited by an attacker who already has access to your network (e.g. using an earlier phishing attack (defined) or brute forcing (defined) a password) sending a specifically crafted URL (defined) to the affected system with the software installed.
The vulnerabilities within Prime Collaboration Assurance will allow the attacker to perform actions as an administrator for any customer managed by the system. For the Prime Collaboration Provisioning Web Framework the vulnerability would allow the attacker to create a new user account with administrator privileges and then access/manipulate any data they choose.
Finally, the most serious vulnerability being addressed is a buffer overflow vulnerability (defined) in Cisco TelePresence Server could allow a remote attacker to cause your server to crash (a denial of service attack (defined)) by sending a specially crafted URL to the system.
In addition for all of these vulnerabilities, no workarounds are available for them. Thankfully at this time Cisco is not aware of any of these flaws being used to attack customers.
How Can I Protect Myself From These Issues?
If your company makes use of either the above management software of video conferencing server, please follow the directions within the Cisco security advisories below to install the necessary updates:
Multiple Vulnerabilities in Cisco Prime Collaboration Assurance
Cisco Prime Collaboration Provisioning Web Framework Access Controls Bypass Vulnerability
Cisco TelePresence Server Denial of Service Vulnerability