Once again, Cisco has fixed four previously unseen critical bugs in its Jabber video conferencing and messaging app, leaving its users vulnerable to remote attacks.
The vulnerabilities, if successfully exploited, could allow a verified remote attacker to execute arbitrary code on target systems by sending specially crafted chat messages in specific group or individual conversations.
They were notified to the network equipment manufacturer on September 25 by Watchcom, three weeks after a Norwegian cybersecurity company revealed multiple security flaws in Jabber discovered during a client penetration test in June.
The new flaws, which were revealed after one of his clients requested a patch authentication audit, affect all currently supported versions of client Cisco Jabber (12.1 – 12.9).
“Three of the four vulnerabilities uncovered at Watchcom in September have not been sufficiently alleviated,” Watchcom said in a report published today. “Cisco released a piece that fixed the injection points we reported, but the underlying problem has not been fixed. As such, we were able to source new injection points that could be used to exploit the vulnerabilities . “
Most critical among the flaws is CVE-2020-26085 (similar to CVE-2020-3495), which has a severity score of 9.9 out of 10, a one-click cross-site scripting (XSS) vulnerability that can be used to remotely execute code by escaping from the CEF sandbox.
CEF or Chromium Embedded Framework is an open source framework used to embed a Chromium based web browser in other apps.
While the browser was embedded in a sandbox to prevent unauthorized access to files, the researchers found a way to circumvent the protections by abusing the window.CallCppFunction, which is designed to open files sent by Cisco users Other Jabber.
All that an opponent has to do is initiate a file transfer that contains a malicious “.exe” file and force the victim to receive it using an XSS attack, then trigger a call to the above function, causing the executable can be run on the victim’s machine. .
Worse, this vulnerability does not require user interaction and is malicious, which means it can be used to automatically spread the malicious software to other systems by hiding the payload in a chat message.
Second defect, CVE-2020-27132, derives from the way it distributes HTML tags in XMPP messages, an XML-based communication protocol used to facilitate instant messaging between any two or more network entities.
“No additional security measures had been put in place and it was therefore possible to secure remote code execution and NTLM password hashes with this new injection point,” the researchers said.
The third and final vulnerability (CVE-2020-27127) is a command prompt lacking concerning protocol handlers, used to inform the operating system to open specific URLs (eg, XMPP: //, IM: //, and TEL: //) in Jabber, making it possible for an attacker to insert arbitrary command-line flags by simply including the URL space.
Given the self-duplicating nature of the attacks, it is advisable that Jabber users update to the latest version of the software to mitigate the risk.
Watchcom also recommends that organizations consider disabling communications with external entities through Cisco Jabber until all employees have installed the update.