Guest

Preview Tool

Cisco Bug: CSCuw26753 - Edge Server Cert validation not checking Server Cert for a domain

Last Modified

Aug 06, 2018

Products (1)

  • Cisco Jabber for Windows

Known Affected Releases

10.6(0) 10.6(1) 10.6(2) 10.6(3) 10.6(5) 11.0(0) 11.0(1) 11.1(0) 11.5(0)

Description (partial)

Symptoms:
A vulnerability in certificate validation trusting Fully Qualified Domain Names (FQDNs) within 
Cisco Jabber could allow an unauthenticated, remote attacker to trick the application 
into trusting a compromised certificate.

The vulnerability is due to how Cisco Jabber retrieves the FQDN contained within the Edge 
Server certificate. An attacker could exploit this vulnerability by highjacking the FQDN 
lookup by redirecting Cisco Jabber to a rouge Domain Name Server (DNS). An exploit could 
allow the attacker to cause Cisco Jabber to trust the Edge Server Certificate because it 
contains a trust FQDN which was actually provided by a malicious DNS device.

Conditions:
The Cisco Jabber Edge Server is configured with a trusted certificate with a FQDN.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.