Lucene search

CiscoCISCO-SA-20151224-JAB

HistoryDec 24, 2015 - 6:30 p.m.

Cisco Jabber STARTTLS Downgrade Vulnerability

2015-12-2418:30:00

tools.cisco.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

46.3%

JSON

A vulnerability in the Cisco Jabber client could allow an unauthenticated, remote attacker to perform a STARTTLS downgrade attack.

The vulnerability exists because the client does not verify that an Extensible Messaging and Presence Protocol (XMPP) connection has been established with Transport Layer Security (TLS). An attacker could exploit this vulnerability by performing a man-in-the-middle attack to tamper with the XMPP connection and avoid TLS negotiation. A successful exploit could allow the attacker to cause the client to establish a cleartext XMPP connection.

Cisco will release software updates that address this vulnerability. Workarounds that address this vulnerability are not available.

This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151224-jab[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151224-jab”]

Affected configurations

Vulners

Node

ciscounified_communications_manager_im_and_presence_serviceMatchany

ciscojabber_imMatchanyandroid

ciscojabberMatchanywindows

ciscojabberMatchanymac

ciscojabberMatchany

ciscounified_communications_manager_im_and_presence_serviceMatchany

ciscojabber_imMatchanyandroid

ciscojabberMatchanywindows

ciscojabberMatchanymac

ciscojabberMatchany

VendorProductVersionCPE
ciscounified_communications_manager_im_and_presence_serviceanycpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:any:*:*:*:*:*:*:*
ciscojabber_imanycpe:2.3:a:cisco:jabber_im:any:*:*:*:*:android:*:*
ciscojabberanycpe:2.3:a:cisco:jabber:any:*:*:*:*:windows:*:*
ciscojabberanycpe:2.3:a:cisco:jabber:any:*:*:*:*:mac:*:*
ciscojabberanycpe:2.3:a:cisco:jabber:any:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_communications_manager_im_and_presence_service	any	cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:any:::::::*
cisco	jabber_im	any	cpe:2.3:a:cisco:jabber_im:any:::::android::
cisco	jabber	any	cpe:2.3:a:cisco:jabber:any:::::windows::
cisco	jabber	any	cpe:2.3:a:cisco:jabber:any:::::mac::
cisco	jabber	any	cpe:2.3:a:cisco:jabber:any:::::::*

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151224-jab

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

46.3%

JSON

Related for CISCO-SA-20151224-JAB