Authentication bypass in Cisco Meeting Server - CVE-2016-6445
Published: October 12, 2016 / Updated: April 5, 2018
Vulnerability identifier: #VU940
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6445
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Meeting Server
Cisco Meeting Server
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to bypass authentication and perform valid user's actions on the target system.
The weakness is due to improper processing of a deprecated authentication scheme by XMPP service that allows attackers to be admitted to the system as authenticated user.
Successful exploitation of the vulnerability results in malicious user's access to the vulnerable system.
The weakness is due to improper processing of a deprecated authentication scheme by XMPP service that allows attackers to be admitted to the system as authenticated user.
Successful exploitation of the vulnerability results in malicious user's access to the vulnerable system.
How to mitigate CVE-2016-6445
Update Cisco Meeting Server to version 2.0.6 or later.
Update Acano Server to version 1.8.18 or 1.9.6.
Update Acano Server to version 1.8.18 or 1.9.6.