Cisco has addressed a critical arbitrary program execution flaw in its Cisco Jabber client software for Windows, macOS, Android, and iOS.
Cisco has addressed a critical arbitrary program execution issue, tracked as CVE-2021-1411, that affects several versions of Cisco Jabber client software for Windows, macOS, Android, and iOS.
Cisco Jabber delivers instant messaging, voice and video calls, voice messaging, desktop sharing, conferencing, and presence.
The CVE-2021-1411 vulnerability stems from the improper input validation of incoming messages’ contents and was rated by Cisco with a CVSS score of 9.9 out of 10.
“Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition.” reads the advisory published by Cisco.
The vulnerability can be only exploited by attackers that are authenticated to an XMPP server used by the vulnerable software which is used to send specially-crafted XMPP messages to a vulnerable device.
The flaw could be exploited without user interaction by an authenticated, remote attacker to execute arbitrary code on Windows, macOS, Android, or iOS devices running unpatched Jabber client software.
“A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute programs on a targeted system.” continues the advisory. “This vulnerability is due to improper validation of message content. An attacker could exploit this vulnerability by sending crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, which could result in arbitrary code execution.”
The IT giant added that the issue does not affect Jabber client software configured for Team Messaging or Phone-only modes.
The flaw affects Cisco Jabber for Windows, macOS, Android, or iOS, versions 12.9 or earlier.
The flaw was reported by Olav Sortland Thoresen of Watchcom, who also reported the CVE-2021-1417, and CVE-2021-1418 vulnerabilities. The Cisco Product Security Incident Response Team (PSIRT) said it is not aware attacks in the wild exploiting the vulnerabilities described in its advisory.
Cisco also addressed other four other high and medium severity flaws in Jabber software, tracked as CVE-2021-1417, CVE-2021-1418, CVE-2021-1469, and CVE-2021-1471.
Below the details of the issues:
- CVE-2021-1469: Arbitrary Program Execution Vulnerability
- CVE-2021-1417: Information Disclosure Vulnerability
- CVE-2021-1471: Certificate Validation Vulnerability
- CVE-2021-1418: Denial of Service Vulnerability
Below the list of CVE IDs affecting each platform:
|JABBER PLATFORM||ASSOCIATED CVE IDS|
|Windows||CVE-2021-1411, CVE-2021-1417, CVE-2021-1418, CVE-2021-1469, and CVE-2021-1471|
|macOS||CVE-2021-1418 and CVE-2021-1471|
|Android and iOS||CVE-2021-1418 and CVE-2021-1471|
[출처 : SecurityAffairs / 3.24.]