Cisco Patches Conferencing Product

Monday, October 17, 2016 @ 03:10 PM gHale

Cisco patched a vulnerability in one its enterprise video conferencing products, the company said last week.

The issue affects the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS).

Reminder to Cisco: Remove Testing Interface
Analytics through Network Monitoring
Cisco Addresses Cloud Services Holes
Cisco Analyzing Issue, Finds a Flaw

The XMPP service incorrectly processes a deprecated authentication scheme, which could allow an unauthenticated remote attacker to access the system as another user.

The vulnerability affects Cisco Meeting Server prior to version 2.0.6, and Acano Server prior to versions 1.8.18 and 1.9.6.

An attacker could only exploit the hole if XMPP is enabled. Disabling the product is a workaround until a fix is ready to go.

The company released updates to correct the flaw, and said until they are applied, users can mitigate the risk by disabling XMPP.

Cisco discovered the problem during a routine security audit of one of its customers and there is no evidence it is undergoing exploitation.

Cisco purchased Acano, a company specializing in video infrastructure and collaboration software, in January and Meeting Server came out in mid-August. This is Cisco’s first product based on Acano technology.