Re: Important Update: Discontinuation of Cisco Proximity

Henrik Bakken · ‎10-14-2024

Dear Valued Customers,
we wish to inform you of an important update regarding Cisco Proximity. As part of our ongoing product lifecycle management and commitment to providing high-quality solutions, Cisco has made the strategic decision to discontinue the development of the Cisco Proximity application.

Please note that Cisco Proximity has been offered as a complimentary tool without full support, and as such, we will not proceed with a traditional End of Life announcement. Effective immediately, there will be no further software updates, enhancements, or bug fixes for Cisco Proximity.

We are aware of existing security vulnerabilities within the app and advise our customers to transition to alternative solutions for content sharing needs as soon as possible.

For a seamless wireless sharing experience with Cisco devices, we recommend utilizing the Webex app, Miracast®, or Apple AirPlay, which offer robust and secure functionalities.

To accommodate your transition, the Cisco Proximity app will remain available for download at proximity.cisco.com until December 31, 2026. After this date, the app will no longer be accessible. We still advise customers to transition to other solutions as soon as possible.

We appreciate your understanding and are here to support you through this transition. Our team is committed to ensuring that you continue to have access to the best tools and technologies for your collaboration needs.

Thank you for choosing Cisco.

Sincerely,
Henrik Bakken
Product @ Cisco Devices

cofry · ‎01-31-2025

Cisco lists two security advisories for Cisco Proximity, both of which were resolved by version 3.1 or later.
In this post, you reference:

@Henrik Bakken wrote:
We are aware of existing security vulnerabilities within the app and advise our customers to transition to alternative solutions for content sharing needs as soon as possible.

Are there additional known vulnerabilities beyond those listed that have not yet been addressed? Can you provide details on these vulnerabilities and the risk they pose?

Mattias Widman · ‎02-04-2025

Why aren't the release dates attached to the changelog at: https://proximity.cisco.com/changelog.html

Impossible to understand if the abover refers to version 4.0.0 or earlier unless I am missing something...

mneergaa · ‎02-14-2025

There are multiple current CVEs that affect Cisco Proximity 4.0.0. It uses outdated versions of Qt and libcurl, and from a quick investigation I have found at least three CVEs that are relevant:

https://nvd.nist.gov/vuln/detail/CVE-2022-25255
https://nvd.nist.gov/vuln/detail/CVE-2022-25634
https://nvd.nist.gov/vuln/detail/CVE-2023-33285

Note that we haven't done any in-depth analysis that indicates there are relevant ways to exploit these vulnerabilities in Qt. E.g. I think Cisco Proximity might use `QProcess` to launch some subprocess, but in order for that to be exploited an attacker would have to modify files on the local file system (indicating they already compromised the system)

Mattias Widman · ‎02-14-2025

OK,

but if I read the statements from earlier these will not be addressed in a future update?

mneergaa · ‎02-14-2025

Correct. We have ended support and won't make any further releases.

Mattias Widman · ‎02-14-2025

Thanks for confirming... Use at your own risk I guess

durgendra-srivastava · ‎02-20-2025

Thanks for sharing the details .