Sign in / up

back to article The patch that wasn't: Cisco emits fresh fixes for NTLM hash-spilling vuln and XSS-RCE combo in Jabber app

A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities – including one remote code execution (RCE) flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Norwegian infosec biz Watchcom spotted the vulnerabilities, having been asked by a …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Devil

    Problem with approval?

    Give Ci$Co a break. It's not easy getting the NSA's approval for patches that might affect their operations.

    4 0 Reply
  2. Version 1.0 Silver badge

    PFY: I've think I've fixed the bug that was reported.

    BOFH: Are you sure? If that bug was in the original code don't you think that they might have a few others?

    PHB: STFU, release the patch and we'll monitor the downloads and send everyone an advert for a new product. We can fix the other bugs later and generate more downloads and data collections, our bugs make us money.

    2 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    jabber

    I've also seen jabber being used inside a number of dodgy Android apps.

    One example:

    0ef3c1bba3f1f23febebe376183cecd6

    https://www.upstreamsystems.com/secure-d-uncovers-pre-installed-malware-alcatel-android-smartphones-manufactured-tcl/

    0 1 Reply
    1. pc-fluesterer.info
      Reply Icon
      FAIL

      No! It's not jabber, it's applications

      Jabber, or XMPP as we call it nowadays, is just a protocol. The protocol is not the culprit; it is beyond any suspicion. The culprit is faulty (or backdoored, to be precise) SW in the case of Cisco, or a malicious App in the case of Alcatel. But who uses Cisco in the first place? I for one would never ever use Cisco (nor any other US-supplied network gear), particularly not for XMPP.

      0 0 Reply
  4. Claptrap314 Silver badge

    ...

    "We followed our well-established security vulnerability process"

    Well, it's good to know that THAT is what it is called. Maybe you should try a "vulnerability elimination process"

    "We followed our well-established security vulnerability process"

    Maybe you should try UNestablishing it, then. This one seems broken. Uhh...where do I report a bug?

    "We followed our well-established security vulnerability process"

    You know, maybe if you were to establish a process for not creating security vulnerabilities in the first place, and following that, we could all save some time.

    2 0 Reply
  5. sanmigueelbeer

    Cisco is not the only one ... Aruba has published ARUBA-PSA-2020-012:

    * Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2020-24633) - CVSSv3 Score of 9.8

    * Unauthenticated Remote Command Injection Vulnerability (CVE-2020-24634) - CVSSv3 Score of 9.8

    * Secureboot Bypass vulnerability in 90xx series gateways (CVE-2020-10713, CVE-2020-24637) - CVSSv3 Score of 8.0

    1 0 Reply
  6. Robert Carnegie Silver badge

    The linked article actually says that eight character passwords are inadequate. Not just "fewer than eight".

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like