Security News
A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities - including one remote code execution flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Watchcom added: "The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities."
The bug impacts Cisco Jabber for Windows, Jabber for MacOS and the Jabber for mobile platforms. The most serious of the bugs, a cross-site scripting flaw, impacts Cisco Jabber for Windows and Cisco Jabber for MacOS. The flaw allow an authenticated, remote attacker to execute programs on a targeted system.
Cisco has addressed a new critical severity remote code execution vulnerability affecting several versions of Cisco Jabber for Windows, macOS, and mobile platforms after patching a related security bug in September. Cisco released security updates in September to address a critical RCE security vulnerability tracked as CVE-2020-3495 stemming from a Cross-Site Scripting bug in Cisco Jabber.
Cisco has once again fixed four previously disclosed critical bugs in its Jabber video conferencing and messaging app that were inadequately addressed, leaving its users susceptible to remote attacks. The new flaws, which were uncovered after one of its clients requested a verification audit of the patch, affects all currently supported versions of the Cisco Jabber client.
If you would like to improve your chances of getting hired, "The 2021 All-In-One AWS, Cisco & CompTIA Super Certification Bundle" is worth your attention. This mammoth collection of courses helps you prepare for a long list of certification exams, including Amazon, Cisco, Google, Microsoft, and CompTIA. It delivers over 240 hours of content in total, worth over $4,300.
Cisco has released security updates to address multiple pre-authentication vulnerabilities with public exploits affecting Cisco Security Manager that could allow for remote code execution after successful exploitation. Cisco Security Manager helps manage security policies on a large assortment of Cisco security and network devices, and it also provides summarized reports and security event troubleshooting capabilities.
Join Webex meetings without appearing in the participant list. "These flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner's name and organization name. These technical vulnerabilities could be further exploited with a combination of social engineering, open source intelligence and cognitive overloading techniques."
Identified by IBM's security researchers, the Webex flaws could allow attackers to join meetings as ghosts, remain in the meeting as a ghost after being expelled, and access information on meeting attendees. Tracked as CVE-2020-3419, the first of the issues impacts both Webex Meetings and Webex Meetings Server and is the result of "Improper handling of authentication tokens by a vulnerable Webex site."
Once they have meeting access, an attacker could exploit the flaw by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. It affected all Cisco Webex Meetings sites prior to November 17, 2020; and all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android.
Cisco has fixed today three Webex Meetings security vulnerabilities that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants. The three bugs also enabled attackers to remain in the Webex meeting and maintain a bidirectional audio connection even after admins would remove them and access Webex users' information like email addresses and IP addresses from the meeting room lobby.