Cisco Patches Critical Vulnerability in Jabber for Windows

Cisco last week released patches to address a critical remote code execution vulnerability in Jabber for Windows.

Tracked as CVE-2020-3495 and featuring a CVSS score of 9.9, the flaw can be exploited remotely without authentication through sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) message to a vulnerable application.

The issue exists because the software fails to properly validate message contents. An attacker able to successfully exploit the vulnerability could execute arbitrary programs on the target system, likely gaining code execution capabilities, Cisco says.

Watchcom, the security firm that identified the flaw in the video conferencing and instant messaging application, explains that the code execution is the result of Cross Site Scripting (XSS) through XHTML-IM messages.

The XSS filter used to sanitize incoming HTML messages was found to be flawed and could be bypassed using the onanimationstart attribute, which specifies “a JavaScript function that will be called when an element’s CSS animation starts playing,” Watchcom says.

“Cisco Jabber uses XHTML-IM by default for all messages. A malicious message can therefore easily be created by intercepting an XMPP message sent by the application and modifying it. Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically,” the company continues.

An attacker looking to exploit the vulnerability needs to send XMPP messages to PCs running Jabber for Windows, and may require access to “the same XMPP domain or another method of access to be able to send messages to clients,” the tech company explains.

Furthermore, Cisco notes that the attacker could cause the affected program to “run an arbitrary executable that already exists within the local file path of the application.”

The file would be executed with the same privileges as those of the user who launched the Jabber client application. The issue does not affect systems where Jabber is used in phone-only mode, without XMPP messaging services enabled. Exploitation is not possible when Jabber is configured to use other messaging services than XMPP.

The tech company also released patches to address a high-severity remote command execution flaw in the application protocol handling features of Jabber for Windows, which exists due to improper handling of input to the application protocol handlers.

Featuring a CVSS score of 8.8 and tracked as CVE-2020-3430, the bug can be exploited only on systems where Jabber is not currently running. To exploit the vulnerability, an attacker would need to trick a user “to click a link designed to send malicious content to the Cisco Jabber application.”

While there are no workarounds to address these security bugs, Cisco has already released updates to patch them. Jabber for Windows versions 12.1.3, 12.5.2, 12.6.3, 12.7.2, 12.8.3, and 12.9.1 contain the necessary fixes.

Cisco says it is not aware of these bugs being actively exploited.

On Wednesday, the company also published advisories related to three other high-risk issues: file overwrite (CVE-2020-3478) in Enterprise NFV Infrastructure Software (NFVIS) and privilege escalation (CVE-2020-3530 and CVE-2020-3473) flaws in IOS XR software.

Ten other advisories were published to provide information on eleven vulnerabilities affecting Webex; Email Security Appliance, Content Security Management Appliance, and Web Security Appliance; Small Business RV340 series routers; NFVIS; Jabber for Windows; FXOS software; and Email Security Appliance.

Technical details on all these vulnerabilities are available on the Cisco Security website.

Related: Cisco Says Hackers Targeting Zero-Days in Carrier-Grade Routers

Related: Cisco Patches High-Severity Vulnerabilities in NX-OS Software

Related: Default Credentials Expose Cisco ENCS, CSP Appliances to Attacks