Cisco has patched its Jabber conferencing and messaging application against a critical vulnerability that made it possible for attackers to execute malicious code that would spread from computer to computer with no user interaction required. Again.
The vulnerability, which was first disclosed in September, was the result of several flaws discovered by researchers at security firm Watchcom Security. First, the app failed to properly filter potentially malicious elements contained in user-sent messages. The filter was based on an incomplete blocklist that could be bypassed using a programming attribute known as onanimationstart.
Messages that contained the attribute passed directly to DOM of an embedded browser. Because the browser was based on the Chromium Embedded Framework, it would execute any scripts that made it through the filter.
With the filter bypassed, the researchers still had to find a way to break out of a security sandbox that’s designed to keep user input from reaching sensitive parts of the operating system. The researchers eventually settled on a function called CallCppFunction, which among other things Cisco Jabber uses to open files one user receives from another.
In all, Watchcom reported four vulnerabilities, all of which received patches at the same time they were disclosed in September. On Thursday, however, the Watchcom researchers said fixes for three of them were incomplete.
In a blog post, company researchers wrote:
Two of the vulnerabilities are caused by the ability to inject custom HTML tags into XMPP messages. The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities.
One of these injection points is the filename of a file sent through Cisco Jabber. The filename is specified by the name attribute of a file tag sent over XMPP. This attribute is displayed in the DOM when an incoming file transfer is received. The value of the attribute is not sanitized before being added to the DOM, making it possible to inject arbitrary HTML tags into the file transfer message by manipulating it.
No additional security measures had been put in place and it was therefore possible to both gain remote code execution and steal NTLM password hashes using this new injection point.
The three vulnerabilities, along with their descriptions and common vulnerability scoring system ratings are:
- CVE-2020-26085: Cisco Jabber Cross-Site Scripting leading to RCE (CVSS 9.9)
- CVE-2020-27132: Cisco Jabber Password Hash Stealing Information Disclosure (CVSS 6.5)
- CVE-2020-27127: Cisco Jabber Custom Protocol Handler Command Injection (CVSS 4.3)
The researchers recommended that the updates be installed as soon as possible. Until all employees are patched, organizations should consider disabling all external communications. The vulnerabilities affect all currently supported versions of the Cisco Jabber client (12.1 through 12.9). Cisco has details here.