Cisco Bug: CSCuw26753 - Edge Server Cert validation not checking Server Cert for a domain
Aug 06, 2018
- Cisco Jabber for Windows
Known Affected Releases
10.6(0) 10.6(1) 10.6(2) 10.6(3) 10.6(5) 11.0(0) 11.0(1) 11.1(0) 11.5(0)
Symptoms: A vulnerability in certificate validation trusting Fully Qualified Domain Names (FQDNs) within Cisco Jabber could allow an unauthenticated, remote attacker to trick the application into trusting a compromised certificate. The vulnerability is due to how Cisco Jabber retrieves the FQDN contained within the Edge Server certificate. An attacker could exploit this vulnerability by highjacking the FQDN lookup by redirecting Cisco Jabber to a rouge Domain Name Server (DNS). An exploit could allow the attacker to cause Cisco Jabber to trust the Edge Server Certificate because it contains a trust FQDN which was actually provided by a malicious DNS device. Conditions: The Cisco Jabber Edge Server is configured with a trusted certificate with a FQDN.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases