====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN110
_____________________________________________________________________

DATE                : 05/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cisco Intelligent Proximity,
                       Cisco Jabber, Cisco Webex Meetings,
                       Cisco Webex Teams, Cisco Meeting App.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-proximity-ssl-cert-gBBu3RB
_____________________________________________________________________

Cisco Intelligent Proximity SSL Certificate Validation Vulnerability

High

Advisory ID:      cisco-sa-proximity-ssl-cert-gBBu3RB
First Published:  2020 March 4 16:00 GMT
Version 1.0:      Final
Workarounds:      No workarounds available
Cisco Bug IDs:    CSCvr90871
CVSS Score:       Base 7.4

CVE-2020-3155
CWE-295


Summary

    A vulnerability in the SSL implementation of the Cisco Intelligent
Proximity solution could allow an unauthenticated, remote attacker to
view or alter information shared on Cisco Webex video devices and Cisco
collaboration endpoints if the products meet the conditions described in
the Vulnerable Products section.

    The vulnerability is due to a lack of validation of the SSL server
certificate received when establishing a connection to a Cisco Webex
video device or a Cisco collaboration endpoint. An attacker could
exploit this vulnerability by using man in the middle (MITM) techniques
to intercept the traffic between the affected client and an endpoint,
and then using a forged certificate to impersonate the endpoint.
Depending on the configuration of the endpoint, an exploit could allow
the attacker to view presentation content shared on it, modify any
content being presented by the victim, or have access to call controls.

    This vulnerability does not affect cloud registered collaboration
endpoints.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-proximity-ssl-cert-gBBu3RB


Affected Products

    Vulnerable Products

    This vulnerability affects the following Cisco products if they are
running a vulnerable software release, have the Proximity feature
enabled, and are used to connect to on-premises devices:

        Cisco Intelligent Proximity application
        Cisco Jabber
        Cisco Webex Meetings
        Cisco Webex Teams
        Cisco Meeting App

    Cisco has not released software updates that address this
vulnerability. All software versions are affected.

    Determining if the Proximity Feature Is Enabled on the Clients

    The software clients listed above are affected by this vulnerability
when they are configured with the Proximity feature. However, for an
attacker to exploit this vulnerability, a collaboration endpoint would
also need to have the Proximity feature enabled. More information
regarding the configuration of the Proximity feature on the endpoints is
available in the Details and Workarounds sections of this advisory.

    Cisco Intelligent Proximity Application

    The Proximity feature is always enabled and cannot be disabled.
    Cisco Jabber1

    There are multiple methods to determine whether the Proximity
feature is enabled in Cisco Jabber:

    1. In the Jabber configuration file jabber-config.xml, this feature
is enabled if the following line is not present:

        <EnableProximity>false</EnableProximity>

    2. In the application's preferences, navigate to Video Device. This
feature is enabled if Connect to nearest device automatically is
selected.

    Cisco Webex Meetings1

    In the application's preferences, navigate to Video Systems. This
feature is enabled if Automatically discover nearby devices is selected.

    Cisco Webex Teams1

    From the Cisco Webex Control Hub, navigate to Settings and scroll to
Device Discovery. This feature is enabled if Allow the Webex Teams app
to connect to on-premises registered device is selected.

    Cisco Meeting App

    The Proximity feature is always enabled and cannot be disabled.

    1 The title of the submenu and the description of the option may
vary with the software version. This information is meant to provide a
general indication of where to find the configuration option for the
Proximity feature.


    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this
advisory are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco
Proximity clients when used to connect to cloud registered devices.


Details

    The Cisco Intelligent Proximity solution allows laptops,
smartphones, or other handheld devices to automatically discover and
connect to Cisco Webex video devices and collaboration endpoints. The
features available to the client depend on the endpoint configuration,
which will influence what can be exploited by an attacker.

    Configuration options can include any combination of the following:
        Content share from clients: A client can present onto the screen
of the collaboration endpoint. The shared contents are presented only on
the collaboration endpoint and are not shared with other connected
clients. A MITM could read or modify the contents of the presentation.

        Content share to clients: The shared contents are presented on
the screen of the collaboration endpoint and on any connected client
devices. A MITM could see any ongoing presentation shared by other
clients and alter the presentation contents viewed by the victim of the
attack.

        Call controls: A client can control the Cisco collaboration
endpoint in the same way as if using the device's touch panel. For
example, it is possible to send commands to control volume or dial
others. A MITM could use this to dial in and listen in on the call,
impersonate the victim, or view any commands sent by the victim to the
collaboration endpoint, including dialed URIs.


Workarounds

    There are no workarounds that address this vulnerability.


    Mitigations

    Disabling the Proximity Pairing Feature

    The primary purpose of the collaboration endpoints is video and
content sharing. Customers that don't require automatic endpoint
discovery and connection can disable the Proximity pairing feature.

    Disabling the Proximity Pairing Feature on Cisco Webex Video Devices
and on Cisco Collaboration Endpoints

    Sign in to the endpoint's web interface and navigate to
Setup > Configuration, then go to Proximity > Mode. Setting Mode to Off
will ensure that all the Proximity features are disabled. Alternatively,
the different sub-services can be disabled, which will limit exposure
accordingly.

    For the Cisco IX5000 Series, navigate to
Configuration > Display Frequency and Proximity Sections. Setting Mode
to Off will ensure that all the Proximity features are disabled.
Alternatively, the different sub-services can be disabled, which will
limit exposure accordingly.

    Note: Once this feature is disabled on an endpoint, direct
interaction with the device is required to use it. The various Proximity
clients will not be able to connect to the endpoints. However, this
doesn't prevent client software from connecting to other endpoints that
might have the feature enabled, thus not fully eliminating the risk of
exploitation.

    Disabling the Automatic Discovery of Collaboration Endpoints on the
Proximity Clients

    It is possible to disable the Proximity pairing in Cisco Jabber,
Cisco Webex Teams, and Cisco Webex Meetings. The instructions for how to
reach the configuration option for each respective client are listed in
the Vulnerable Products section of this advisory.

    Note: Disabling this feature on the clients will not prevent
external guests from connecting to the endpoint, thus not fully
eliminating the risk of exploitation.

    Migration of the Collaboration Solution to the Cloud

    Customers that are entitled to use the cloud registered
collaboration solution may migrate their environment from on-premises to
cloud registered devices. The Cisco Intelligent Proximity solution for
cloud registered devices is not affected by this vulnerability.


Fixed Software

    Cisco has not released software updates that address the
vulnerability described in this advisory. Customers may only install and
expect support for software versions and feature sets for which they
have purchased a license. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to follow the
terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they
have a valid license, procured from Cisco directly, or through a Cisco
authorized reseller or partner. In most cases this will be a maintenance
upgrade to software that was previously purchased. Free security
software updates do not entitle customers to a new software license,
additional software feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to
regularly consult the advisories for Cisco products, which are available
from the Cisco Security Advisories and Alerts page, to determine
exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be
upgraded contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their contracted
maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of entitlement
to a free upgrade.


Exploitation and Public Announcements

    The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the vulnerability
that is described in this advisory.


Source

    Cisco would like to thank Adam Shore for reporting this vulnerability.


URL


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-proximity-ssl-cert-gBBu3RB


Revision History

Version 	Description 	Section 	Status 	Date
1.0 	Initial public release. 	— 	Final 	2020-MAR-04


Legal Disclaimer

    THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================