Wormable code execution error in Cisco Jabber has a severity score of 9.9 out of 10 | GeekComparison

Wormable code execution error in Cisco Jabber has a severity score of 9.9 out of 10

Getty Images

Cisco has patched its Jabber conferencing and messaging application against a critical vulnerability that allowed attackers to execute malicious code that would spread from computer to computer without requiring user intervention. Again.

The vulnerability, first revealed in September, was the result of several flaws discovered by researchers at security firm Watchcom Security. First, the app failed to properly filter potentially malicious elements in messages sent by users. The filter was based on an incomplete blocklist that could be bypassed using a programming attribute known as onanimationstart.

Messages containing the attribute were passed directly to the DOM of an embedded browser. Since the browser was based on the Chromium Embedded Framework, it executed all scripts that passed through the filter.

With the filter bypassed, the researchers still had to find a way out of a security sandbox designed to prevent user input from reaching sensitive parts of the operating system. The researchers eventually settled on a function called CallCppFunction, which, among other things, uses Cisco Jabber to open files that one user receives from another.

In total, Watchcom reported four vulnerabilities, all of which were patched at the same time they were revealed in September. However, on Thursday, the Watchcom researchers said the fixes were incomplete for three of them.

In a blog post, business researchers wrote:

Two of the vulnerabilities are caused by the ability to inject custom HTML tags into XMPP messages. The patch released in September fixed only the specific injection points that Watchcom had identified. The underlying problem was not addressed. This allowed us to find new injection points that could be used to exploit the vulnerabilities.

One of these injection points is the file name of a file sent through Cisco Jabber. The file name is specified by the name attribute of a file tag sent over XMPP. This attribute is displayed in the DOM when an incoming file transfer is received. The value of the attribute is not cleaned up before being added to the DOM, making it possible to inject arbitrary HTML tags into the file transfer message by manipulating it.

No additional security measures were in place and it was therefore possible to execute both remote code and steal NTLM password hashes using this new injection point.

The three vulnerabilities, along with their descriptions and common system vulnerability assessments are:

  • CVE-2020-26085: Cisco Jabber Cross-Site Scripting leading to RCE (CVSS 9.9)
  • CVE-2020-27132: Cisco Jabber Password Hash Stealing Information Disclosure (CVSS 6.5)
  • CVE-2020-27127: Cisco Jabber Custom Protocol Handler Command Injection (CVSS 4.3)

The researchers advised installing the updates as soon as possible. Until all employees are patched, organizations should consider turning off all external communications. The vulnerabilities affect all currently supported versions of the Cisco Jabber client (12.1 through 12.9). Cisco has details here.

Leave a Comment