Cisco Jabbers in the clear due to STARTTLS bug

Updated 'Twas the night before Christmas, when sysadmins probably weren't watching their advisory feeds, that Cisco announced a vulnerability in its Jabber for Windows.

The advisory suggests users of Jabber for Windows 10.6.x through to 11.1.x upgrade, because those versions are vulnerable to a STARTTLS man-in-the-middle downgrade attack.

“[T]he client does not verifying that the Extensible Messaging and Presence Protocol (XMPP) connection has been established with Transport Layer Security (TLS). An attacker could exploit this vulnerability by performing a man in the middle attack to tamper with the XMPP connection and avoid the TLS negotiation,” the advisory states.

A successful exploit would leave the vulnerable clients communicating in the clear.

Synacktiv, which discovered the problem, writes that its researchers Renaud Dubourguais and Sébastien Dudek found the problem. If an attacker had control of a WiFi hotspot the client connected to, it's easy to force-drop the STARTTLS request from the server, leaving the client chatting in plain text.

By negotiating its own SSL session with the server, the attacker can trick the server into thinking that the session is secured, so it won't raise any warnings to the client.

Synacktiv has published a proof-of-concept here. ®

Updated to add

Cisco has since amended its advisory to state that Jabber clients for iPhone, iPad, and Jabber for Android versions 9.x, 10.6.x, 11.0.x, and 11.1.x are also vulnerable.