Cisco Systems this week issued disclosed a dozen software vulnerabilities, including four high-severity flaws, one of which has not been patched.
The flaw with no current fix is CVE-2020-3155: a validation error in the SSL implementation of Cisco Intelligent Proximity, a solution that helps laptops, smartphones and other devices automatically discover and link with Webex video devices and collaboration endpoints. If exploited, the vulnerability could enable remote attackers to view or alter information shared on these Webex devices and endpoints.
“An attacker could exploit this vulnerability by using man-in-the-middle (MITM) techniques to intercept the traffic between the affected client and an endpoint, and then using a forged certificate to impersonate the endpoint,” Cisco states in a security advisory. “Depending on the configuration of the endpoint, an exploit could allow the attacker to view presentation content shared on it, modify any content being presented by the victim, or have access to call controls.”
Users of Cisco’s Intelligent Proximity application, Jabber, Webex Meetings and Webex Teams Cisco Meeting App can all be impacted by the vulnerability if the products are configured with the Proximity feature and are used to connect to on-premises devices or collaboration endpoints with the Proximity feature also enabled.
There are no workarounds but Cisco does list mitigations in its advisory. They include disabling the Proximity pairing feature on devices and endpoints, disabling the automatic discovery of collaboration endpoints on the Proximity clients, and migrating the collaboration solution to the cloud.
The two bugs with the highest CVSS score — designated CVE-2020-3127 and CVE-2020-3128 — are comprised of a series of vulnerabilities that could allow attackers to gain a targeted user’s privileges and then execute ..
Support the originator by clicking the read the rest link below.
