back to article The patch that wasn't: Cisco emits fresh fixes for NTLM hash-spilling vuln and XSS-RCE combo in Jabber app

A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities – including one remote code execution (RCE) flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Norwegian infosec biz Watchcom spotted the vulnerabilities, having been asked by a …

  1. Anonymous Coward

    Problem with approval?

    Give Ci$Co a break. It's not easy getting the NSA's approval for patches that might affect their operations.

  2. Version 1.0 Silver badge

    PFY: I've think I've fixed the bug that was reported.

    BOFH: Are you sure? If that bug was in the original code don't you think that they might have a few others?

    PHB: STFU, release the patch and we'll monitor the downloads and send everyone an advert for a new product. We can fix the other bugs later and generate more downloads and data collections, our bugs make us money.

  3. Anonymous Coward
    Anonymous Coward


    I've also seen jabber being used inside a number of dodgy Android apps.

    One example:



      No! It's not jabber, it's applications

      Jabber, or XMPP as we call it nowadays, is just a protocol. The protocol is not the culprit; it is beyond any suspicion. The culprit is faulty (or backdoored, to be precise) SW in the case of Cisco, or a malicious App in the case of Alcatel. But who uses Cisco in the first place? I for one would never ever use Cisco (nor any other US-supplied network gear), particularly not for XMPP.

  4. Claptrap314 Silver badge


    "We followed our well-established security vulnerability process"

    Well, it's good to know that THAT is what it is called. Maybe you should try a "vulnerability elimination process"

    "We followed our well-established security vulnerability process"

    Maybe you should try UNestablishing it, then. This one seems broken. Uhh...where do I report a bug?

    "We followed our well-established security vulnerability process"

    You know, maybe if you were to establish a process for not creating security vulnerabilities in the first place, and following that, we could all save some time.

  5. sanmigueelbeer

    Cisco is not the only one ... Aruba has published ARUBA-PSA-2020-012:

    * Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2020-24633) - CVSSv3 Score of 9.8

    * Unauthenticated Remote Command Injection Vulnerability (CVE-2020-24634) - CVSSv3 Score of 9.8

    * Secureboot Bypass vulnerability in 90xx series gateways (CVE-2020-10713, CVE-2020-24637) - CVSSv3 Score of 8.0

  6. Robert Carnegie Silver badge

    The linked article actually says that eight character passwords are inadequate. Not just "fewer than eight".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like