Cisco Jabber, a unified communications platform for enterprises, has a vulnerability that puts users at risk from eavesdropping by remote attackers.
Cisco Jabber lets users access presence, instant messaging (IM), voice, video, voice messaging, desktop sharing and conferencing functionalities, and it’s a key part of the company’s “post-PC” vision, as it runs on mobile platforms on the client side, including Windows Phone, iOS, BlackBerry and Android). The software uses the Jabber protocol (XMPP), SIP and SRTP streams to help collaborators communicate securely without running a VPN.
According to Synacktiv, the vulnerability, which affects the Cisco Jabber client for Windows, iPhone, iPad and Android, would allow an attacker to wiretap and tamper with messages exchanged between the client and the final Jabber gateway (commonly known as the Cisco Expressway-E).
In terms of the nuts and bolts of the issue, the flaw allows nefarious types to perform a STARTTLS downgrade attack. The Cisco Jabber client supports STARTTLS negotiation in order to secure communications, but doesn't check if this extension is required by the server, so an attacker performing a man-in-the-middle attack can drop the STARTTLS requirement to force the client to talk in clear text, without any warning.
“To illustrate our proof-of-concept, we have chosen the case when a victim wants to use its Cisco Jabber Client in a public Wi-Fi hotspot,” the researchers explained in an analysis. “As Cisco mentions in its website, the communication aims to be quick and secure so a user shouldn't worry about using the client in a public hotspot.”
The researchers created a fake hotspot using the common ESSID used by the victim, and was able to redirect the traffic from the client on the fake access point interface to its own script. The script doesn’t forward the STARTTLS requirement coming from the server to the client, and can sniff and tamper with the messages. It also delays messages between the client and the legit Jabber gateway.
Cisco has released software updates that address the vulnerability. Workarounds that mitigate this vulnerability aren’t available though.