Cisco Bug: CSCvv50325 - SIPD support 3DES ciphers which is vulnerable to CVE-2016-2183
Sep 15, 2020
- Cisco Unified Communications Manager IM & Presence Service
Known Affected Releases
Symptom: Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) includes a version of the DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols that are affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-2183 This bug was opened to address the potential impact on this product. Conditions: The only way Triple-DES cipher will be used by IM&P is if the client app forces this particular cipher during SSL handshake. Otherwise, IM&P would use its more preferred cipher suite (i.e. AES) on the mentioned ports and the vulnerability would never be exposed. This "lowered preference" is the main idea behind the solution provided by OpenSSL in 1.0.2 library version, which is currently used as part of CiscoSSL. So far, the only reports from the field have come from various port scanner apps tailored for searching vulnerable ciphers suites, rather than the actual real situation problem where IM&P has been using one of Triple-DES ciphers for creating secure connections.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases