AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C
-
A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to masquerade as a legitimate user. This vulnerability is due to the XMPP service incorrectly processing a deprecated authentication scheme. A successful exploit could allow an attacker to access the system as another user.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability in some environments are available. This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-msc
-
Vulnerable Products
Versions of the Cisco Meeting Server prior to 2.0.6 with XMPP enabled are affected by this vulnerability.
Versions of the Acano Server prior to 1.8.18 and prior to 1.9.6 with XMPP enabled are also affected by this vulnerability.
Administrators can check the system configuration from the command line interface (CLI) of the Cisco Meeting Server to determine if a device is affected. An administrator can determine if XMPP is enabled using the xmpp command and the software version can be identified using the version command.
For example, the following command shows the version of a device running software version 2.0.6:
system> version 2_0_6
system> xmpp status Enabled : true Clustered : true Domain : cisco.com Listening interfaces : a Key file : acano.key Certificate file : acano.crt CA Bundle file : ca-bundle.crt Max sessions per user : unlimited STATUS : XMPP clustering (Follower)
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
-
Administrators are advised to apply appropriate updates. However, if the XMPP protocol is not needed, it can be disabled by an administrator with the xmpp disable command. In this case, the system will continue to support other protocols. The following example shows how to disable the XMPP protocol and verify that it is disabled.
system> xmpp disable
system> xmpp status
Enabled : false
Clustered : true
Domain : cisco.com
Listening interfaces : a
Key file : acano.key
Certificate file : acano.crt
CA Bundle file : ca-bundle.crt
Max sessions per user : unlimited
STATUS : XMPP server not enabled
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
This vulnerability is fixed in the following firmware versions:- Acano Server version 1.8.18
- Acano Server version 1.9.6
- Cisco Meeting Server 2.0.6
Acano software can be obtained from the software download section of the Acano website.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was discovered during a routine security audit of a Cisco customer.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial public release. — Final 2016-October-12
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.