Critical Cisco Jabber Bug Gets Updated Fix

Cisco Systems released updated patches for a critical vulnerability in its video and instant messaging platform Jabber. The flaws were patched in September, however the researchers that originally found the bugs identified new ways to exploit the same flaws.

The most serious of the bugs is the critical remote code-execution (RCE) flaw impacting Cisco Jabber for Windows, Jabber for MacOS and the Jabber for mobile platforms. Attackers can exploit the bug merely by sending a target a specially crafted messages – no user interaction required.

The flaw (CVE-2020-26085) has a CVSS score of 9.9 out of 10, making it critical in severity. Researchers with Watchcom, who discovered the flaw, said at the time of the original discovery the implications of the vulnerability are especially serious given the current pandemic-driven work-from-home trend.

“We are not aware of any active exploitation of the vulnerabilities,” Watchcom told Threatpost on Thursday. “Both the original discovery of the vulnerabilities and the ‘re-discovery’ were made during security audits for a client.”

Patch, Update, Patch and Repeat

The three Cisco Jabber vulnerabilities that are still open to attack are a cross-site scripting bug leading to RCE (CVE-2020-26085), with a 9.9 CVSS rating. The second is a password hash stealing information disclosure flaw (CVE-2020-27132), with a CVSS 6.5 severity rating. Lastly, there is the protocol handler command injection vulnerability (CVE-2020-27127), with a CVSS severity-rating of 4.3.

Updated patches are available via Cisco’s Security Advisories support site.

“Cisco released a patch that fixed the injection points we reported, but the underlying problem has not been fixed,” wrote researchers.

“We were able to find new injection points that could be used to exploit the vulnerabilities. All currently supported versions of the Cisco Jabber client (12.1 – 12.9) are affected. The three vulnerabilities have been assigned new CVE numbers to distinguish them from the vulnerabilities disclosed in September,” researchers wrote.

Nightmare Attack Scenario

In order to exploit these vulnerabilities, all a hacker needs to be able to send a Jabber chat message to the victim, Watchcom describes.

“This could happen if the targeted company allows adding contacts outside of the organization or if the attacker gains access to an employee’s Jabber username and password,” researchers wrote. “Once the attacker is able to send chat messages, he can take full control over the computers of everyone in the organization. The person receiving the message does not have to do anything, the attackers malicious code will run automatically once the message is received.”

To exploit the two message handling vulnerabilities (CVE-2020-26085, CVE-2020-27132) an attacker would need to send an Extensible Messaging and Presence Protocol (XMPP) message to a system running the Cisco Jabber client. “Attackers may require access to the same XMPP domain or another method of access to be able to send messages to clients,” Cisco noted.

Next, an attacker can cause the Jabber application to “run an arbitrary executable that already exists within the local file path of the application,” researchers said. The executable would run on the end-user system with the privileges of the user who initiated the Cisco Jabber client application, Watchcom wrote.

Cisco explained the vulnerabilities are not dependent on one another. “Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities,” it wrote in its  Cisco Security Advisory Thursday.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.