Cisco Meeting Server – CVE-2016-6445 flaw allows to impersonate legitimate users

Cisco fixed a critical vulnerability in the Cisco Meeting Server, tracked as CVE-2016-6445, that allows remote attackers to impersonate legitimate users.

A security vulnerability in Cisco Meeting Server, tracked as CVE-2016-6445, could be exploited by attackers to impersonate legitimate users.

Experts from Cisco uncovered the vulnerability during a routine security audit of a customer.

The hole resides in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS). According to Cisco, the XMPP service incorrectly processes a deprecated authentication scheme allowing an unauthenticated attacker to access the system impersonating another user.

“A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to masquerade as a legitimate user.” reads the security advisory published by CISCO. “This vulnerability is due to the XMPP service incorrectly processing a deprecated authentication scheme. A successful exploit could allow an attacker to access the system as another user.”

CVE-2016-6445 flaw cisco-meeting-server

The CVE-2016-6445 flaw affects the following versions of the Cisco Meeting Server:

Cisco Meeting Server prior to 2.0.6 with XMPP enabled. Acano Server prior to 1.8.18 and prior to 1.9.6 with XMPP enabled.
Acano Server prior to 1.8.18 and prior to 1.9.6 with XMPP enabled.

CISCO urges its customers to apply appropriate updates, it also suggests as a workaround to disable the XMPP protocol using the “xmpp disable” command.

According to the company, there is no evidence that the CVE-2016-6445 has been exploited in the wild.

This is the second advisory published by Cisco for Meeting Server, a first one was published in July and it was related to a persistent cross-site scripting (XSS) flaw that allowed an unauthenticated attacker to execute arbitrary code in the context of the product’s management interface.

“A vulnerability in the web bridge that offers video via a web interface of Cisco Meeting Server Software, formerly Acano Conferencing Server, could allow an unauthenticated, remote attacker to conduct a persistent cross-site scripting (XSS) attack against a user of the web interface of an affected system.” stated the Cisco Advisory.
“The vulnerability is due to improper input validation of certain parameters that are passed to an affected device via an HTTP request. An attacker could exploit this vulnerability by persuading a user to follow a malicious link.”

Back to the CVE-2016-6445 flaw, the firmware updates can be downloaded from the CISCO Software Center (Products > Conferencing > Video Conferencing > Multiparty Conferencing > Meeting Server > Meeting Server 1000 > TelePresence Software).

Acano software can be downloaded from the Acano website.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2016-6445, Cisco Meeting Server)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.