CONFERENCE Virtual Event Today: Threat Detection & Incident Response (TDIR) Summit - Join the Event
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Critical Vulnerability in Jabber for Windows

Cisco last week released patches to address a critical remote code execution vulnerability in Jabber for Windows.

Cisco last week released patches to address a critical remote code execution vulnerability in Jabber for Windows.

Tracked as CVE-2020-3495 and featuring a CVSS score of 9.9, the flaw can be exploited remotely without authentication through sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) message to a vulnerable application.

The issue exists because the software fails to properly validate message contents. An attacker able to successfully exploit the vulnerability could execute arbitrary programs on the target system, likely gaining code execution capabilities, Cisco says.

Watchcom, the security firm that identified the flaw in the video conferencing and instant messaging application, explains that the code execution is the result of Cross Site Scripting (XSS) through XHTML-IM messages.

The XSS filter used to sanitize incoming HTML messages was found to be flawed and could be bypassed using the onanimationstart attribute, which specifies “a JavaScript function that will be called when an element’s CSS animation starts playing,” Watchcom says.

“Cisco Jabber uses XHTML-IM by default for all messages. A malicious message can therefore easily be created by intercepting an XMPP message sent by the application and modifying it. Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically,” the company continues.

An attacker looking to exploit the vulnerability needs to send XMPP messages to PCs running Jabber for Windows, and may require access to “the same XMPP domain or another method of access to be able to send messages to clients,” the tech company explains.

Furthermore, Cisco notes that the attacker could cause the affected program to “run an arbitrary executable that already exists within the local file path of the application.”

Advertisement. Scroll to continue reading.

The file would be executed with the same privileges as those of the user who launched the Jabber client application. The issue does not affect systems where Jabber is used in phone-only mode, without XMPP messaging services enabled. Exploitation is not possible when Jabber is configured to use other messaging services than XMPP.

The tech company also released patches to address a high-severity remote command execution flaw in the application protocol handling features of Jabber for Windows, which exists due to improper handling of input to the application protocol handlers.

Featuring a CVSS score of 8.8 and tracked as CVE-2020-3430, the bug can be exploited only on systems where Jabber is not currently running. To exploit the vulnerability, an attacker would need to trick a user “to click a link designed to send malicious content to the Cisco Jabber application.”

While there are no workarounds to address these security bugs, Cisco has already released updates to patch them. Jabber for Windows versions 12.1.3, 12.5.2, 12.6.3, 12.7.2, 12.8.3, and 12.9.1 contain the necessary fixes.

Cisco says it is not aware of these bugs being actively exploited.

On Wednesday, the company also published advisories related to three other high-risk issues: file overwrite (CVE-2020-3478) in Enterprise NFV Infrastructure Software (NFVIS) and privilege escalation (CVE-2020-3530 and CVE-2020-3473) flaws in IOS XR software.

Ten other advisories were published to provide information on eleven vulnerabilities affecting Webex; Email Security Appliance, Content Security Management Appliance, and Web Security Appliance; Small Business RV340 series routers; NFVIS; Jabber for Windows; FXOS software; and Email Security Appliance.

Technical details on all these vulnerabilities are available on the Cisco Security website.

Related: Cisco Says Hackers Targeting Zero-Days in Carrier-Grade Routers

Related: Cisco Patches High-Severity Vulnerabilities in NX-OS Software

Related: Default Credentials Expose Cisco ENCS, CSP Appliances to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.