Main Vulnerability Database Vulnerabilities #VU25782

Improper Certificate Validation in Cisco Systems, Inc products - CVE-2020-3155

Published: March 5, 2020

Vulnerability identifier: #VU25782

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-3155

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
Cisco Jabber
Cisco Webex Teams
Cisco Meeting App
Cisco Webex Meetings
Cisco Intelligent Proximity application

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a man-in-the-middle (MiTM) attack.

The vulnerability exists in the SSL implementation of the Cisco Intelligent Proximity solution due to a lack of validation of the SSL server certificate received when establishing a connection to a Cisco Webex video device or a Cisco collaboration endpoint. A remote attacker can supply a specially crafted SSL certificate, perform a man-in-the-middle attack and view presentation content shared on it, modify any content being presented by the victim or have access to call controls.

This vulnerability affects Cisco products if they are running a vulnerable software release, have the Proximity feature enabled and are used to connect to on-premises devices.

How to mitigate CVE-2020-3155

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-proximity-ssl-cert-gBBu3RB

Improper Certificate Validation in Cisco Systems, Inc products - CVE-2020-3155

Detailed vulnerability description

How to mitigate CVE-2020-3155

Sources

Please verify you're human