Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2407
Cisco Meeting Server Client Authentication Bypass Vulnerability
13 October 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Meeting Server
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-6445
Original Bulletin:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-msc
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Meeting Server Client Authentication Bypass Vulnerability
Advisory ID: cisco-sa-20161012-msc
Revision 1.0
For Public Release 2016 October 12 16:00 UTC (GMT)
Last Updated 2016 October 12 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
A vulnerability in the Extensible Messaging and Presence Protocol (XMPP)
service of the Cisco Meeting Server (CMS) could allow an unauthenticated,
remote attacker to masquerade as a legitimate user. This vulnerability
is due to the XMPP service incorrectly processing a deprecated
authentication scheme. A successful exploit could allow an attacker to
access the system as another user.
Cisco has released software updates that address this vulnerability.
Workarounds that address this vulnerability in some environments are
available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-msc
- -----BEGIN PGP SIGNATURE-----
iQIVAwUBV/5T1K89gD3EAJB5AQJXixAAya7sQ4U4yX6jUyZlGvudqvto/qHd4gj5
1KCqLAs6zo1xQ2FckY5ZcSRCmih3ePR3gn7MMa3hvyaPRrBqqIsStRcsbxgWKK4o
b3z82O3Ff/texUaVCGcPjOlW3Dyji0YNblq5WaNqoNyTDxHRsoF0q9ZfRCPQ7px7
ixH7sjlSnR7M5y8Xvx0ZHPrgD3dh0UFdBsywM8wWKAwMRMgnOK3R8TlbmvRNwEQu
JOjdiIjgiZ0f0mF4aqUNwSzkBbSBEZJ9PbHDWBfxcFnUu06Bja+wRIqIP+iaUFUB
RFZukZ19hPjbuIb3qeKOjpbvOBWdt6w+LGmaVLAvQGooFg3at/LhCfPjjKkPZxfy
E2kD2YjkI1iKbVU79qGmZZXydUp36Ec3uLQVKZJV0vYyg1Frrgh1NXBnQjjCJq1+
+yA3PB2REapoVF+GJ8S5Rce/xYuIh1BG5WMHDGtGKig01e34nvVKHaDVxUmvF/bu
Ldd3WyjJqd0hueeVeAMnogph4Yk9Q0g4WugNKex8gmiYnA6RVe/j6W8MUWLi2vb6
4wep9961nqk16hOeNhNGO9CU5NXNj2hPEMBwgcsA7RJDMLEQpuEmBpuBzxl17vya
vEdt/RQzKTho23POnsSpyucQ5TbXsiqtHxzN2lke9UH0zNKOLJXo+y0b/EElWSAC
AnmG++lEvcw=
=Y8pC
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV/8ckox+lLeg9Ub1AQhrdRAAqraLuDeWghmj9dYCi3DJM6GLlQ6UaEBb
lFLRwIlC5guixCY9y2u+qT5RWGPj3ckiUSsawnOv/oxgKPiRD1/j5zLYKYE2RnpT
ACI+T/HpdsAg5WVTQwqxnsq7CjJU6wR7LP7tywHWVZ7h4IWzlyAwGrXOSP2OaodA
Jq+4JvTZGyjfgWA1ginhGqlq3wlr0VFBjNR5RJRx743jDmJGf99Kd2HiZ6oIgKOf
Nwdwx4PTgpdnXyIafBrAQBP4y2lqTX0gcOPDvgSOFP8di0qY1aEQ9ia7vFdIA40R
5Vmr5kCFZkrevE6SBA8n3b9M56RbElK/1I7KAuN6F4/y0FqdkKo/smPtDCNqLfXF
vdsP4v+PQLu9V5XSQWKlYFqh0Yd3M3haFP72dixfxs9tMZ0DVeyS5U5LkGKEJR2w
63Q1IhBTdH6vsSONMzc6a6XY1wSvBnnRB6t7vyAOgP7w4FMjrqPUXP+o5So8QFKA
/tliPrAWActJ+e8cBW75ihLUL1k6NdoeC31EGFM5AkEYMQGhOPe6s+g6YX36NLP7
TgrZoJSzDO+u8TidA1GHx0nEY3glHV0ViRdO1Pc66ztWpE8tAwcPuakrhm3oU0px
uopcPrgsn9nCNtZnJm9LUiY4zbw2MFAQVUEzN9EfDu7Ro72D9F6Yo4C1TeGlg39Z
V2vicvtCtQQ=
=fE/C
-----END PGP SIGNATURE-----