Vulnerability Name:

CVE-2020-3155 (CCN-177212)

Assigned:2019-12-12
Published:2020-03-04
Updated:2020-03-05
Summary:A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable Products section. The vulnerability is due to a lack of validation of the SSL server certificate received when establishing a connection to a Cisco Webex video device or a Cisco collaboration endpoint. An attacker could exploit this vulnerability by using man in the middle (MITM) techniques to intercept the traffic between the affected client and an endpoint, and then using a forged certificate to impersonate the endpoint. Depending on the configuration of the endpoint, an exploit could allow the attacker to view presentation content shared on it, modify any content being presented by the victim, or have access to call controls. This vulnerability does not affect cloud registered collaboration endpoints.
CVSS v3 Severity:7.4 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
7.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-295
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2020-3155

Source: XF
Type: UNKNOWN
cisco-cve20203155-mitm(177212)

Source: CCN
Type: Cisco Security Advisory cisco-sa-proximity-ssl-cert-gBBu3RB
Cisco Intelligent Proximity SSL Certificate Validation Vulnerability

Source: CISCO
Type: Vendor Advisory
20200304 Cisco Intelligent Proximity SSL Certificate Validation Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cisco:intelligence_proximity:*:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:jabber:*:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:meeting:*:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings:*:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_teams:*:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:cisco:telepresence_codec_c40_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:cisco:telepresence_codec_c40:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:cisco:telepresence_codec_c60_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:cisco:telepresence_codec_c60:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:cisco:telepresence_codec_c90_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:cisco:telepresence_codec_c90:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cisco intelligence proximity *
    cisco jabber *
    cisco meeting *
    cisco webex meetings *
    cisco webex teams *
    cisco telepresence codec c40 firmware -
    cisco telepresence codec c40 -
    cisco telepresence codec c60 firmware -
    cisco telepresence codec c60 -
    cisco telepresence codec c90 firmware -
    cisco telepresence codec c90 -