Californian tech giant Cisco has released an advisory statement explaining that its chat client Jabber is currently vulnerable to a man-in-the-middle attack.
Found in the Windows client of Jabber, the vulnerability could allow an unauthenticated, remote attacker to perform a STARTTLS downgrade attack.
Discovered by Renaud Dubourguais and Sébastien Dudek from Synacktiv, a French cyber-security firm, versions affected include the 10.6.x, 11.0.x, and 11.1.x releases.
Currently the client does not verify that the Extensible Messaging and Presence Protocol (XMPP) connection has been established with Transport Layer Security (TLS).
XMPP enables the near-real-time exchange of structured yet extensible data between any two or more network entities.
Speaking to SCMagazineUK.com, Renaud Dubourguais explained, “Cisco Jabber is installed on an employee's computer and configured to connect to a Jabber server deployed by the company. During the connection process, a XMPP negotiation occurs to decide if they have to use a secured communication (TLS) or not which is where the vulnerability is. Once the negotiation is done, the client sends the company login details through XMPP messages to authenticate the employee and chats can start."
This means that subsequently, the attacker could cause the client to establish a plaintext XMPP connection. The report from Synacktiv says, “A successful exploitation could allow anyone to wiretap communications, steal user credentials, but also tamper messages sent between the client and the Jabber gateway.”
Cisco has released software updates that address this vulnerability, but as there are currently no workarounds available, the only way to make sure end users are protected would be to make sure their Jabber client is fully patched and up to date.
Gavin Millard, technical director EMEA at Tenable Network Security commented, “To finish off the year of multiple downgrade attacks against SSL/TLS, the recently announced Cisco Jabber client issue is similar to many we've experienced in 2015.
"As with many of the downgrade vulnerabilities, an attacker could manipulate the communication path to force a lower level of encryption between the client and server, making it easier to gain visibility into the data flow. What is of concern in this particular example though, is the fact the downgrade is to cleartext rather than a less secure implementation of SSL.”