Cisco has addressed a critical arbitrary program execution vulnerability impacting several versions of Cisco Jabber client software for Windows, macOS, Android, and iOS.
Cisco Jabber is a web conferencing and instant messaging app that allows users to send messages via the Extensible Messaging and Presence Protocol (XMPP).
The vulnerability was reported by Olav Sortland Thoresen of Watchcom. Cisco’s Product Security Incident Response Team (PSIRT) says that the flaw is not currently exploited in the wild.
Almost maximum severity rating
The security flaw tracked as CVE-2021-1411 was rated by Cisco with a 9.9/10 severity score, and it is caused by improper input validation of incoming messages’ contents.
Luckily, to exploit this critical bug, attackers need to be authenticated to an XMPP server used by the vulnerable software to send maliciously-crafted XMPP messages to their target’s device.
Additionally, the vulnerability does not affect Cisco Jabber client software configured for Team Messaging or Phone-only modes.
However, successful exploitation of CVE-2021-1411—which doesn’t require user interaction—can enable authenticated, remote attackers to execute arbitrary programs on Windows, macOS, Android, or iOS devices running unpatched Jabber client software.
“A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, which could result in arbitrary code execution,” Cisco’s advisory explains.
Vulnerable software includes Cisco Jabber for Windows, macOS, Android, or iOS, versions 12.9 or earlier.
Four more Cisco Jabber bugs patched today
Cisco released security updates for four other medium and high severity Cisco Jabber vulnerabilities (tracked as CVE-2021-1417, CVE-2021-1418, CVE-2021-1469, and CVE-2021-1471).
These security bugs could enable remote attackers to execute arbitrary programs, gain access to sensitive information, and trigger denial-of-service states after exploiting them on devices running unpatched software.
| Cisco Jabber Platform | Associated CVE IDs |
|---|---|
| Windows | CVE-2021-1411, CVE-2021-1417, CVE-2021-1418, CVE-2021-1469, and CVE-2021-1471 |
| macOS | CVE-2021-1418 and CVE-2021-1471 |
| Android and iOS | CVE-2021-1418 and CVE-2021-1471 |
Cisco also published 37 other security advisories today, detailing security updates for other medium and high severity security flaws in multiple Cisco products.
In related news, last year, the company fixed two similar critical-level remote code execution bugs [1, 2] found in the Cisco Jabber IM client software, both discovered and reported by Watchcom’s Olav Sortland Thoresen.
To read the original article: