Security News > 2020 > December > Cisco Patches Wormable, Zero-Click Vulnerability in Jabber

Cisco Patches Wormable, Zero-Click Vulnerability in Jabber
2020-12-11 12:44

Three months after addressing a critical flaw in Jabber for Windows, Cisco released patches for a similar vulnerability in the video conferencing and instant messaging client.

The bug, which exists because the content of messages is not properly validated, affects both Jabber for Windows and Jabber for macOS. "An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution," Cisco explains.

The first of them, CVE-2020-27134, is an arbitrary script injection in Jabber for Windows and Jabber for macOS. Requiring user interaction, the flaw could lead to the execution of arbitrary programs or the leakage of sensitive information.

While there are no workarounds to mitigate these issues, Cisco has addressed them with software updates for the Windows, macOS, Android, and iOS Jabber clients.

"Since some of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. This can be done by disabling XMPP federation or configuring a policy for XMPP federation," Watchcom notes.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/i_Zsonq3xJk/cisco-patches-wormable-zero-click-vulnerability-jabber

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-12-11 CVE-2020-27134 Information Exposure vulnerability in Cisco Jabber and Jabber for Mobile Platforms
Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information.
network
low complexity
cisco CWE-200
critical
9.9

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1773 1669 288 3751