Low (Specialized access conditions or extenuating circumstances do not exist. Partial (There is reduced performance or interruptions in resource availability.)
None (There is no impact to the integrity of the system) These security bugs could enable remote attackers to execute arbitrary programs, gain access to sensitive information, and trigger denial-of-service states after exploiting them on devices running unpatched software.None (There is no impact to the confidentiality of the system.) Four more Cisco Jabber bugs patched todayĬisco released security updates for four other medium and high severity Cisco Jabber vulnerabilities (tracked as CVE-2021-1417, CVE-2021-1418, CVE-2021-1469, and CVE-2021-1471). Vulnerable software includes Cisco Jabber for Windows, macOS, Android, or iOS, versions 12.9 or earlier. "A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, which could result in arbitrary code execution," Cisco's advisory explains. However, successful exploitation of CVE-2021-1411-which doesn't require user interaction-can enable authenticated, remote attackers to execute arbitrary programs on Windows, macOS, Android, or iOS devices running unpatched Jabber client software. Luckily, to exploit this critical bug, attackers need to be authenticated to an XMPP server used by the vulnerable software to send maliciously-crafted XMPP messages to their target's device.Īdditionally, the vulnerability does not affect Cisco Jabber client software configured for Team Messaging or Phone-only modes. The security flaw tracked as CVE-2021-1411 was rated by Cisco with a 9.9/10 severity score, and it is caused by improper input validation of incoming messages' contents. Cisco's Product Security Incident Response Team (PSIRT) says that the flaw is not currently exploited in the wild. The vulnerability was reported by Olav Sortland Thoresen of Watchcom. Cisco has addressed a critical arbitrary program execution vulnerability impacting several versions of Cisco Jabber client software for Windows, macOS, Android, and iOS.Ĭisco Jabber is a web conferencing and instant messaging app that allows users to send messages via the Extensible Messaging and Presence Protocol (XMPP).