Cisco has recently addressed four critical vulnerabilities in its Jabber video conferencing and messaging application, vulnerabilities that had previously been inadequately mitigated, thus exposing users to potential remote attacks. The company disclosed these fixes following a report highlighting ongoing security shortcomings reported earlier this month by the Norwegian cybersecurity firm Watchcom.
The identified vulnerabilities, if exploited, could permit authenticated remote attackers to execute arbitrary code within targeted systems by sending specially crafted messages in either group conversations or private chats. As of September 25, Watchcom reported these vulnerabilities emerged after conducting a penetration test for a client.
These new flaws affect all supported versions of Cisco Jabber (12.1 – 12.9), and their discovery stems from a verification audit requested by one of Cisco’s clients. In a report released today, Watchcom stated that three of the four vulnerabilities disclosed this month have not been adequately resolved. Although Cisco issued a patch addressing certain injection points, the fundamental issues remain unaddressed, allowing researchers to identify additional injection vectors.
The most severe vulnerability is classified as CVE-2020-26085, sharing similarities with CVE-2020-3495. With a severity rating of 9.9 out of 10, this zero-click cross-site scripting (XSS) vulnerability can facilitate remote code execution by circumventing the security sandbox of the Chromium Embedded Framework (CEF).
The CEF, an open-source framework employed to embed a Chromium-based browser within applications, is designed for sandboxing to prevent unauthorized file access. However, researchers have uncovered a method to circumvent these protections. By exploiting the window.CallCppFunction designed for file transfers, an attacker could send a malicious executable disguised as a file transfer, leading to unconsenting execution on the target system.
This vulnerability does not necessitate user interaction, making it particularly dangerous as it can facilitate the automatic spread of malware through chat messages. Another identified vulnerability, CVE-2020-27132, arises from improper HTML tag parsing in XMPP messages, which could allow a manipulated file transfer message to inject malicious scripts or links, further endangering user security.
The final vulnerability, CVE-2020-27127, relates to command injection due to flaws in the handling of protocol-specific URLs in Jabber. An attacker could inject command-line flags by simply altering the URL in question. Given the self-replicating nature of these vulnerabilities, it is imperative for users to promptly update their Cisco Jabber applications to the latest versions to minimize the risk.
In light of these findings, Watchcom recommends that organizations temporarily disable communication with external entities using Cisco Jabber until all users have installed the necessary updates. This proactive approach can help mitigate the risks posed by these vulnerabilities, protecting businesses from potential cyber threats.