Security News > 2020 > December > Cisco Patches Wormable, Zero-Click Vulnerability in Jabber
Three months after addressing a critical flaw in Jabber for Windows, Cisco released patches for a similar vulnerability in the video conferencing and instant messaging client.
The bug, which exists because the content of messages is not properly validated, affects both Jabber for Windows and Jabber for macOS. "An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution," Cisco explains.
The first of them, CVE-2020-27134, is an arbitrary script injection in Jabber for Windows and Jabber for macOS. Requiring user interaction, the flaw could lead to the execution of arbitrary programs or the leakage of sensitive information.
While there are no workarounds to mitigate these issues, Cisco has addressed them with software updates for the Windows, macOS, Android, and iOS Jabber clients.
"Since some of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. This can be done by disabling XMPP federation or configuring a policy for XMPP federation," Watchcom notes.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-11 | CVE-2020-27134 | Information Exposure vulnerability in Cisco Jabber and Jabber for Mobile Platforms Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. | 9.9 |