Cisco Meeting Server Client Authentication Bypass Vulnerability

ITS Advisory Number: 
2016-178
Date(s) Issued: 
Thursday, October 13, 2016
Subject: 
Cisco Meeting Server Client Authentication Bypass Vulnerability
Overview: 

A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to masquerade as a legitimate user. This vulnerability is due to the XMPP service incorrectly processing a deprecated authentication scheme. A successful exploit could allow an attacker to access the system as another user.

Systems Affected: 

Cisco ESA physical and virtual devices running any of the following software releases are affected by this vulnerability:

  • Versions of the Cisco Meeting Server prior to 2.0.6 with XMPP enabled are affected by this vulnerability.
  • Versions of the Acano Server prior to 1.8.18 and prior to 1.9.6 with XMPP enabled are also affected by this vulnerability.
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to masquerade as a legitimate user. This vulnerability is due to the XMPP service incorrectly processing a deprecated authentication scheme. A successful exploit could allow an attacker to access the system as another user. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability in some environments are available.

Administrators can check the system configuration from the command line interface (CLI) of the Cisco Meeting Server to determine if a device is affected. An administrator can determine if XMPP is enabled using the xmpp command and the software version can be identified using the version command.

For example, the following command shows the version of a device running software version 2.0.6:

system> version

2_0_6

And the following command shows a device with XMPP configured:

system> xmpp status

Enabled                 : true

Clustered               : true

Domain                  : cisco.com

Listening interfaces    : a

Key file                : acano.key

Certificate file        : acano.crt

CA Bundle file          : ca-bundle.crt

Max sessions per user   : unlimited

STATUS                  : XMPP clustering (Follower)

Actions: 
  • After appropriate testing, install applicable updates provided by Cisco to the affected systems.
  • Verify no unauthorized system modifications have occurred on the system prior to applying the patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.