// For flags

CVE-2020-3155

Cisco Intelligent Proximity SSL Certificate Validation Vulnerability

Severity Score

7.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable Products section. The vulnerability is due to a lack of validation of the SSL server certificate received when establishing a connection to a Cisco Webex video device or a Cisco collaboration endpoint. An attacker could exploit this vulnerability by using man in the middle (MITM) techniques to intercept the traffic between the affected client and an endpoint, and then using a forged certificate to impersonate the endpoint. Depending on the configuration of the endpoint, an exploit could allow the attacker to view presentation content shared on it, modify any content being presented by the victim, or have access to call controls. This vulnerability does not affect cloud registered collaboration endpoints.

Una vulnerabilidad en la implementación SSL de la solución Cisco Intelligent Proximity, podría permitir a un atacante remoto no autenticado visualizar o modificar la información compartida en los dispositivos de video Cisco Webex y los endpoints de colaboración de Cisco si los productos cumplen con las condiciones descritas en la sección de Productos Vulnerables. La vulnerabilidad es debido a la falta de comprobación del certificado del servidor SSL recibido cuando se establece una conexión a un dispositivo de video Cisco Webex o un endpoint de colaboración de Cisco. Un atacante podría explotar esta vulnerabilidad al usar técnicas de tipo man in the middle (MITM) para interceptar el tráfico entre el cliente afectado y un endpoint, y luego utilizar un certificado falsificado para suplantar el endpoint. Dependiendo de la configuración del endpoint, una explotación podría permitir al atacante visualizar el contenido de presentación compartido en él, modificar cualquier contenido presentado por la víctima o tener acceso a los controles de llamadas. Esta vulnerabilidad no afecta a los endpoints de colaboración registrados en la nube.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-12-12 CVE Reserved
  • 2020-03-04 CVE Published
  • 2023-11-20 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-295: Improper Certificate Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Telepresence Codec C40 Firmware
Search vendor "Cisco" for product "Telepresence Codec C40 Firmware"
--
Affected
in Cisco
Search vendor "Cisco"
Telepresence Codec C40
Search vendor "Cisco" for product "Telepresence Codec C40"
--
Safe
Cisco
Search vendor "Cisco"
Telepresence Codec C60 Firmware
Search vendor "Cisco" for product "Telepresence Codec C60 Firmware"
--
Affected
in Cisco
Search vendor "Cisco"
Telepresence Codec C60
Search vendor "Cisco" for product "Telepresence Codec C60"
--
Safe
Cisco
Search vendor "Cisco"
Telepresence Codec C90 Firmware
Search vendor "Cisco" for product "Telepresence Codec C90 Firmware"
--
Affected
in Cisco
Search vendor "Cisco"
Telepresence Codec C90
Search vendor "Cisco" for product "Telepresence Codec C90"
--
Safe
Cisco
Search vendor "Cisco"
Intelligence Proximity
Search vendor "Cisco" for product "Intelligence Proximity"
*-
Affected
Cisco
Search vendor "Cisco"
Jabber
Search vendor "Cisco" for product "Jabber"
*-
Affected
Cisco
Search vendor "Cisco"
Meeting
Search vendor "Cisco" for product "Meeting"
*-
Affected
Cisco
Search vendor "Cisco"
Webex Meetings
Search vendor "Cisco" for product "Webex Meetings"
*-
Affected
Cisco
Search vendor "Cisco"
Webex Teams
Search vendor "Cisco" for product "Webex Teams"
*-
Affected