Cisco Jabber for Windows STARTTLS Downgrade Vulnerability

A vulnerability in the Cisco Jabber for Windows client could allow an unauthenticated, remote attacker to perform a STARTTLS downgrade attack.

The vulnerability exists because the client does not verifying that the Extensible Messaging and Presence Protocol (XMPP) connection has been established with Transport Layer Security (TLS). An attacker could exploit this vulnerability by performing a man in the middle attack to tamper with the XMPP connection and avoid the TLS negotiation. An exploit could allow the attacker to cause the client to establish a cleartext XMPP connection.

Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: http://ift.tt/1QOK7sl

from Cisco Security Advisory http://ift.tt/1QOK7sl