An attacker in a man-in-the-middle position could abuse a STARTTLS downgrade vulnerability in the Cisco Jabber client-server negotiation in order to intercept communication.
Cisco warned its customers yesterday, but has yet to patch the vulnerability, which affects the Cisco Jabber clients for Windows, iPhone, iPad and Android.
Researchers Renaud Dubourguais and Sébastien Dudek of Synacktiv reported the issue in December, Cisco said. Yesterday, the researchers disclosed some details and published proof-of-concept code.
The Cisco Jabber client is used primarily as a collaboration and messaging tool between users of various Cisco conferencing and messaging products, including Presence. The client is marketed as a secure collaboration tool that does not require a VPN connection.
Dubourguais and Dudek wrote in a report published yesterday that an attacker in a man-in-the-middle position could snoop on messages sent to the Jabber gateway, which they said is usually the Cisco Expressway-E gateway.
The Jabber client, which runs the XMPP protocol for messaging, supports STARTTLS negotiation for secure communication. Dubourguais and Dudek wrote that the client does not check whether the STARTTLS extension is required by the server. An attacker could take advantage of this to downgrade the STARTTLS negotiation and render communication in clear text.
“This packet will notify the client that all messages must be exchanged within a TLS session from this point. However, an attacker performing a man-in-the-middle attack can catch this message and negotiate himself the SSL session,” Dubourguais and Dudek wrote. “All this negotiation is not forwarded to the client which will continue to talk in clear-text on the wire. This attack won’t trigger any warning on the client-side. From this point, the attacker can wiretap the communication and retrieve sensitive information including the victim’s login and password depending on the authentication mechanism.”
Cisco said that versions 9.x, 10.6.x, 11.0.x and 11.1.x are vulnerable on all platforms; it also said there are no reports of public attacks.
Dubourguais and Dudek said that a common attack scenario would be one where the victim uses the Cisco Jabber client at a public Wi-Fi hotspot.
“The vulnerability exists because the client does not verify that an Extensible Messaging and Presence Protocol (XMPP) connection has been established with Transport Layer Security (TLS),” Cisco said in its advisory. “An attacker could exploit this vulnerability by performing a man-in-the-middle attack to tamper with the XMPP connection and avoid TLS negotiation. A successful exploit could allow the attacker to cause the client to establish a cleartext XMPP connection.”