Cisco Jabber STARTTLS Downgrade Vulnerability

Summary

• A vulnerability in the Cisco Jabber client could allow an unauthenticated, remote attacker to perform a STARTTLS downgrade attack.
  
  The vulnerability exists because the client does not verify that an Extensible Messaging and Presence Protocol (XMPP) connection has been established with Transport Layer Security (TLS). An attacker could exploit this vulnerability by performing a man-in-the-middle attack to tamper with the XMPP connection and avoid TLS negotiation. A successful exploit could allow the attacker to cause the client to establish a cleartext XMPP connection.
  
  Cisco will release software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
  
  This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151224-jab

Affected Products

• Vulnerable Products

  The following table lists Cisco products that are affected by the vulnerability that is described in this advisory.
  
  
  

  Product	Defect	Fixed Release Availability
  Client Side
  Cisco Jabber for Windows	CSCux88529	11.5(1) on-premises (Available) 11.5(1) cloud (4-Feb-2016) 11.1(3) on-premises (5-Feb-2016) 11.1(3) cloud (18-Feb-2016) 10.6(7) on-premises (12-Feb-2016) 10.6(7) cloud (25-Feb-2016) 10.5(5) (18-Feb-2016 - Tentative) 9.7(7) (23-Feb-2016 - Tentative)
  Cisco Jabber for Mac	CSCux74900	11.5(1) on-premises (3-Feb-2016) 11.5(1) cloud (4-Feb-2016)
  Cisco Jabber for Android	CSCux74895	11.5(1) (Available)
  Cisco Jabber for iPhone and iPad	CSCux74848	11.5(1) (5-Feb-2016 - Tentative)
  Server Side
  Cisco Unified Communications Manager IM & Presence Service	CSCux80122	COP files (Available)

  
  At the time this advisory was first published, all available releases of the affected products, including Release 11.5(0), were vulnerable.
  

  Products Confirmed Not Vulnerable

  Voice and Video Telephony features of affected Jabber clients are not impacted by this vulnerability as the operation of these functionalities does not rely on the XMPP protocol.
  
  The following products are not affected by this vulnerability:

  • Cisco Jabber Video for iPad
  • Cisco Jabber Voice for iPhone
  • Cisco Jabber Voice for Android
  • Cisco UC Integration for Microsoft Lync
  • Cisco Jabber Guest
  • Cisco Jabber Software Development Kit

  
  No other Cisco products are currently known to be affected by this vulnerability.

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• Please see the table in the Vulnerable Products section of this advisory for fix availability information.
  
  On-premise deployments will also require an update of the Cisco Unified Communications Manager IM & Presence Service for extending protection to on-premise clients.
  
  When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious exploitation of this vulnerability.
  

Source

• Cisco would like to thank Renaud Dubourguais and Sébastien Dudek from Synacktiv for discovering and reporting this vulnerability.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151224-jab

Revision History

• Version	Description	Section	Status	Date
  2.1	Updated information about the availability of fixed releases.	Affected Products - Vulnerable Products	Final	2016-February-03
  2.0	Updated the information about vulnerable versions and fixed releases to reflect that 11.5(0) does not integrate a fix for this vulnerability: the code change addressing the vulnerability was removed from defect CSCuw87419 just prior to releasing 11.5(0) as it would result in on-premise connectivity issues for deployments using CUCM IM&P builds with limited cryptographic capabilities. New defects on all affected platforms have been opened to track the proper addressing of this vulnerability.	Affected Products - Vulnerable Products, Affected Products - Products Confirmed Not Vulnerable, Fixed Software	Final	2016-January-18
  1.3	Added Cisco Jabber for Mac to the list of vulnerable products. Moved Cisco Jabber Voice for iPhone, Cisco Jabber Video for iPad, and Cisco Jabber Voice for Android to the list of products that are not vulnerable. Indicated that proof-of-concept exploit code is now available.	Affected Products - Vulnerable Products, Affected Products - Products Confirmed Not Vulnerable, Exploitation and Public Announcements	Final	2016-January-08
  1.2	Updated to indicate that Release 11.5 for all platforms includes the fix, explicitly named the different mobile versions of the client, and modified the vulnerable versions to include all releases except 11.5.	Affected Products - Vulnerable Products, Fixed Software	Final	2016-January-05
  1.1	Updated to include affected versions of Cisco Jabber for iPhone and iPad and Cisco Jabber for Android.	Title, Summary, Affected Products - Vulnerable Products	Final	2016-January-04
  1.0	Initial public release.	-	Final	2015-December-24

  Show Complete History...