CVE-2020-3155
Cisco Intelligent Proximity SSL Certificate Validation Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable Products section. The vulnerability is due to a lack of validation of the SSL server certificate received when establishing a connection to a Cisco Webex video device or a Cisco collaboration endpoint. An attacker could exploit this vulnerability by using man in the middle (MITM) techniques to intercept the traffic between the affected client and an endpoint, and then using a forged certificate to impersonate the endpoint. Depending on the configuration of the endpoint, an exploit could allow the attacker to view presentation content shared on it, modify any content being presented by the victim, or have access to call controls. This vulnerability does not affect cloud registered collaboration endpoints.
Una vulnerabilidad en la implementación SSL de la solución Cisco Intelligent Proximity, podría permitir a un atacante remoto no autenticado visualizar o modificar la información compartida en los dispositivos de video Cisco Webex y los endpoints de colaboración de Cisco si los productos cumplen con las condiciones descritas en la sección de Productos Vulnerables. La vulnerabilidad es debido a la falta de comprobación del certificado del servidor SSL recibido cuando se establece una conexión a un dispositivo de video Cisco Webex o un endpoint de colaboración de Cisco. Un atacante podría explotar esta vulnerabilidad al usar técnicas de tipo man in the middle (MITM) para interceptar el tráfico entre el cliente afectado y un endpoint, y luego utilizar un certificado falsificado para suplantar el endpoint. Dependiendo de la configuración del endpoint, una explotación podría permitir al atacante visualizar el contenido de presentación compartido en él, modificar cualquier contenido presentado por la víctima o tener acceso a los controles de llamadas. Esta vulnerabilidad no afecta a los endpoints de colaboración registrados en la nube.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-12-12 CVE Reserved
- 2020-03-04 CVE Published
- 2023-11-20 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cisco Search vendor "Cisco" | Telepresence Codec C40 Firmware Search vendor "Cisco" for product "Telepresence Codec C40 Firmware" | - | - |
Affected
| in | Cisco Search vendor "Cisco" | Telepresence Codec C40 Search vendor "Cisco" for product "Telepresence Codec C40" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Telepresence Codec C60 Firmware Search vendor "Cisco" for product "Telepresence Codec C60 Firmware" | - | - |
Affected
| in | Cisco Search vendor "Cisco" | Telepresence Codec C60 Search vendor "Cisco" for product "Telepresence Codec C60" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Telepresence Codec C90 Firmware Search vendor "Cisco" for product "Telepresence Codec C90 Firmware" | - | - |
Affected
| in | Cisco Search vendor "Cisco" | Telepresence Codec C90 Search vendor "Cisco" for product "Telepresence Codec C90" | - | - |
Safe
|
| Cisco Search vendor "Cisco" | Intelligence Proximity Search vendor "Cisco" for product "Intelligence Proximity" | * | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Jabber Search vendor "Cisco" for product "Jabber" | * | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Meeting Search vendor "Cisco" for product "Meeting" | * | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Webex Meetings Search vendor "Cisco" for product "Webex Meetings" | * | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Webex Teams Search vendor "Cisco" for product "Webex Teams" | * | - |
Affected
| ||||||