Cisco Finesse Appliance Authentication Bypass Vulnerability (cisco-sa-20160202-fducce)

medium Nessus Plugin ID 130065

Synopsis

The remote host is missing a vendor-supplied security patch.

Description

According to its self-reported version, the Cisco Finesse appliance is affected by an authentication bypass vulnerability exists in Extensible Messaging and Presence Protocol (XMPP) due to a default account with a static password. An unauthenticated, remote attacker can exploit this, via using the default account, to bypass authentication and execute arbitrary actions with user privileges.

Solution

Apply the patch or upgrade to the version recommended in Cisco bug ID CSCuw79085

See Also

http://www.nessus.org/u?d3b7e6d8

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw79085

Plugin Details

Severity: Medium

ID: 130065

File Name: cisco-sa-20160202-fducce-finesse.nasl

Version: 1.2

Type: local

Family: CISCO

Published: 10/21/2019

Updated: 10/30/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.5

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2016-1307

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:finesse

Required KB Items: installed_sw/Cisco VOSS Finesse

Exploit Ease: No known exploits are available

Patch Publication Date: 2/2/2016

Vulnerability Publication Date: 2/2/2016

Reference Information

CVE: CVE-2016-1307

CWE: 264

CISCO-SA: cisco-sa-20160202-fducce

CISCO-BUG-ID: CSCuw79085