Cisco has released security updates to address a critical remote code execution (RCE) flaw affecting several versions of Cisco Jabber for Windows, macOS, and mobile platforms.
In September Cisco released security updates to address another critical RCE security flaw (CVE-2020-3495) stemming from a Cross-Site Scripting (XSS) issue in Cisco Jabber.
After Cisco mitigated the above issue, researchers at Watchcom discovered a new wormable RCE flaw and reported it to the IT giant. Watchcom explained that three flaws, including an RCE issue, have not been properly mitigated by the vendor.
The expert discovered new flaws that affect all currently supported Cisco Jabber versions, from 12.1 up to 12.9.
The RCE vulnerability discovered by the researchers is an XSS bug tracked as CVE-2020-26085. The flaw could be exploited by an attacker to execute arbitrary code remotely by escaping Cisco Jabber’s CEF sandbox.
“The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution.”
The vulnerability could be exploited without user interaction and is wormable.
The experts published a video PoC f that attack that exploits the Cisco Jabber vulnerabilities fixed in September 2020.
(SecurityAffairs – hacking, BISMUTH)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.