Cisco's Jabber client vulnerable to encryption downgrade, man-in-the-middle attacks
A vulnerability in Cisco Jabber could allow an attacker to downgrade encryption so that the client ends up transmitting in cleartext.
Affected products include Cisco Jabber for Windows, Jabber for iPhone and iPad, and Cisco Jabber for Android versions 9.x, 10.6.x, 11.0.x and 11.1.x.
The problem is caused by the Cisco Jabber client failing to check whether the STARTTLS is required by the server. This opens the door to an unauthenticated, remote attacker to downgrade the STARTTLS negotiation, which establishes a cleartext extensible messaging and presence protocol (XMPP) connection with the server that can be spied on.
"An attacker could exploit this vulnerability by performing a man-in-the-middle attack to tamper with the XMPP connection and avoid TLS negotiation," wrote Cisco in its security advisory. "A successful exploit could allow the attacker to cause the client to establish a cleartext XMPP connection."
According to a report by Threatpost, the Cisco Jabber client is used primarily as a collaboration and messaging tool between users of various Cisco conferencing and messaging products. It is also pegged as a secure collaboration tool that negates the need for separate encryption such as a virtual private network connection, noted the report.
For now, users running vulnerable versions of the software are encouraged to upgrade as soon as possible. Aside from upgrading to a patched version, Cisco said no workarounds are available to mitigate the issue.
Cisco warns about vulnerable SSH keys in its virtual security appliances
Cisco pledges 'security everywhere' with new product enhancements
Cisco plugs 16 security holes in operating system for its routers and switches