Cisco patches critical authentication flaw in conferencing servers
Hackers could exploit the issue to masquerade as legitimate users.
Cisco Systems has patched a critical vulnerability that could allow hackers to gain access to Cisco Meeting and Acano servers that are used in enterprise environments for video and audio conferencing.
The flaw allows an unauthenticated attacker to masquerade as a legitimate user because the Extensible Messaging and Presence Protocol (XMPP) service incorrectly processes a deprecated authentication scheme, Cisco said in an advisory.
The flaw affects Cisco Meeting Server versions prior to 2.0.6 with XMPP enabled, as well as versions of the Acano Server prior to 1.8.18 and prior to 1.9.6. If upgrading to the latest releases is not immediately possible, administrators are advised to disable XMPP on their servers and keep using the other available protocols.
On Wednesday the company also patched a denial-of-service flaw in Cisco Wide Area Application Services (WAAS), a clickjacking flaw in the Cisco Unified Communications Manager (CUCM), an SQL injection vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface and an issue that could affect the configuration integrity of Cisco cBR-8 converged broadband routers.
All of these vulnerabilities are rated as medium severity and patches are available to fix them. However, the company also warned customers about a cross-site request forgery vulnerability in the Cisco Finesse Agent and Supervisor Desktop Software that does not yet have a fix or a workaround.
Cisco has also been investigating the impact of recent vulnerabilities found in OpenSSL to its products and released software updates for a large number of them that incorporate the OpenSSL patches.