Three months after addressing a critical flaw in Jabber for Windows, Cisco released patches for a similar vulnerability in the video conferencing and instant messaging client.
In early September, the company released fixes for a total of four security bugs in Jabber, the most severe of which featured a CVSS score of 9.9. It allowed attackers to execute arbitrary code remotely, through specially crafted Extensible Messaging and Presence Protocol (XMPP) messages.
Several weeks after patches were issued, Watchcom, the security firm that found the bugs, discovered that the released patches were insufficient. This led to the identification of three new bugs, one of which features a CVSS score of 9.9.
Tracked as CVE-2020-26085, the critical vulnerability is a cross-site scripting (XSS) issue that leads to remote code execution (RCE) on the underlying operating system, with elevated privileges.
Built on the Chromium Embedded Framework (CEF), Jabber uses HTML, CSS, and JavaScript for the UI, along with other technologies. The XSS, Watchcom explains, could be used to escape the CEF sandbox without user interaction.
Furthermore, with the payload delivered via instant messages, the vulnerability is wormable, the security firm explains. The bug, which exists because the content of messages is not properly validated, affects both Jabber for Windows and Jabber for macOS.
“An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution,” Cisco explains.
Watchcom also discovered two medium-severity issues in Jabber (CVE-2020-27132 and CVE-2020-27127). The former can lead to leaking NTLM password hashes, while the latter could result in the attacker sending arbitrary input to the Jabber client, by tricking the user into clicking on a link.
Internally, Cisco identified two other issues in Jabber, both rated high severity. The first of them, CVE-2020-27134 (CVSS score of 8.0), is an arbitrary script injection in Jabber for Windows and Jabber for macOS. Requiring user interaction, the flaw could lead to the execution of arbitrary programs or the leakage of sensitive information.
The second issue, CVE-2020-27133 (CVSS score of 8.8), affects Jabber for Windows and could lead to the execution of arbitrary commands. The attacker needs to convince the user to click on a link.
While there are no workarounds to mitigate these issues, Cisco has addressed them with software updates for the Windows, macOS, Android, and iOS Jabber clients. The company says it is not aware of these flaws being targeted in attacks.
“Since some of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. This can be done by disabling XMPP federation or configuring a policy for XMPP federation,” Watchcom notes.
Related: Cisco Patches Publicly Disclosed Vulnerabilities in Security Manager
Related: Cisco Patches 17 High-Severity Vulnerabilities in Security Appliances
Related: Cisco Patches 34 High-Severity Vulnerabilities in IOS Software