Guest

Preview Tool

Cisco Bug: CSCvv50325 - SIPD support 3DES ciphers which is vulnerable to CVE-2016-2183

Last Modified

Sep 15, 2020

Products (1)

  • Cisco Unified Communications Manager IM & Presence Service

Known Affected Releases

12.5

Description (partial)

Symptom:
Cisco Unified Communications Manager IM & Presence Service (formerly CUPS)  includes a version of the DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols that are affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2016-2183

This bug was opened to address the potential impact on this product.

Conditions:
The only way Triple-DES cipher will be used by IM&P is if the client app forces this particular cipher during SSL handshake. Otherwise, IM&P would use its more preferred cipher suite (i.e. AES) on the mentioned ports and the vulnerability would never be exposed. This "lowered preference" is the main idea behind the solution provided by OpenSSL in 1.0.2 library version, which is currently used as part of CiscoSSL.

So far, the only reports from the field have come from various port scanner apps tailored for searching vulnerable ciphers suites, rather than the actual real situation problem where IM&P has been using one of Triple-DES ciphers for creating secure connections.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.