Cisco released software updates to address multiple vulnerabilities affecting its Jabber messaging clients across Windows, macOS, Android, and iOS.
Successful exploitation of the flaws could permit an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition.
These vulnerabilities affect Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms.
Cisco has confirmed that these vulnerabilities, except for CVE-2021-1471, do not affect Cisco Jabber client software that is configured for either of the following modes:
- Phone-only mode
- Team Messaging Mode
To Exploit the Vulnerabilities, an attacker must be:
- Authenticated to an Extensible Messaging and Presence Protocol (XMPP) server that the affected software is using
- Able to send XMPP messages to a targeted system
CVE-2021-1411: Cisco Jabber Arbitrary Program Execution Vulnerability
A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute programs on a targeted system. Rated by Cisco with a 9.9/10 severity score.
This vulnerability is due to improper validation of message content. An attacker could exploit this vulnerability by sending crafted XMPP messages to the affected software.
A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, which could result in arbitrary code execution.
The flaw affects Cisco Jabber for Windows, macOS, Android, or iOS, versions 12.9 or earlier.
Details of the issues:
CVE-2021-1469: Arbitrary Program Execution Vulnerability
CVE-2021-1417: Information Disclosure Vulnerability
CVE-2021-1471: Certificate Validation Vulnerability
CVE-2021-1418: Denial of Service Vulnerability
Four more Cisco Jabber Bugs Patched
Cisco addressed four other high and medium severity flaws in Jabber software, tracked as CVE-2021-1417, CVE-2021-1418, CVE-2021-1469, and CVE-2021-1471. The flaw was reported by Olav Sortland Thoresen of Watchcom, who also reported the CVE-2021-1417, and CVE-2021-1418 vulnerabilities.
These security bugs could enable remote attackers to execute arbitrary programs, gain access to sensitive information, and trigger denial-of-service states after exploiting them on devices running unpatched software.