Cisco issued a security advisory and patch for a new Cisco Jabber software RCE vulnerability, as well as security fixes for multiple other products.
The remote code execution (RCE) vulnerability CVE-2020-3495 exists in the Cisco Jabber messaging client for Windows.
“The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to the affected software,” warned Cisco in the advisory.
As a consequence, a remote attacker could exploit the vulnerability and cause the Jabber client to execute arbitrary programs and execute arbitrary code.
The Critical-rated flaw also sports a CVSS score of 9.8, but does not affect Cisco Jabber for MacOS or Cisco Jabber for mobile platforms.
In addition, Cisco also patched a High severity Protocol Handler Command Injection vulnerability CVE-2020-3430 in Cisco Jabber. An attacker could exploit unpatched Jabber software and execute arbitrary commands.
Readers can also check out security firm Watchcom’s blog post for more details on the Jabber vulnerabilities and proof of concept.
Additional Cisco patches
In addition to the Jabber issues, Cisco also patched the following High risk vulnerabilities:
- Cisco Enterprise NFV Infrastructure Software File Overwrite Vulnerability (CVE-2020-3478)
- Cisco IOS XR Authenticated User Privilege Escalation Vulnerability (CVE-2020-3530)
- Cisco IOS XR Software Authenticated User Privilege Escalation Vulnerability (CVE-2020-3473).
Finally, 11 other Medium severity vulnerabilities, were also patched for multiple Cisco products to include two more Jabber flaws.
The latest advisories come just a day after Cisco issued a security advisory warning of a Cisco IOS XR software zero-day vulnerability CVE-2020-3566 under active exploit in the wild.
Check out the latest Cisco advisories as of September 2, 2020. System and Network administrators should deploy security updates to affected devices as soon as possible.
- Cisco warns of IOS XR zero-day vulnerability exploit in the wild (CVE-2020-3566)
- Cisco fixes 11 High risk vulnerabilities in NX-OS Software and other network products
- Attackers are exploiting Cisco ASA and FTD Software vulnerability (CVE-2020-3452)
- Cisco releases Critical Treck IP Stack advisory and 7 other High severity updates