Cisco has patched its Jabber conferencing and messaging application against a critical vulnerability that could allow an attacker to execute malicious code that would spread from computer to computer without requiring user interaction. Once again.
The vulnerability, which was first revealed in September, is the result of several flaws discovered by researchers from the security firm Watchcom Security. First, the app failed to properly filter potentially malicious elements in messages sent by the user. The filter was based on an incomplete block list that could be bypassed with a programming attribute called onanimationstart.
Messages containing the attribute were passed directly to the DOM of an embedded browser. Since the browser was based on the Chromium Embedded Framework, all scripts that went through the filter were executed.
After the filter was bypassed, the researchers still had to find a way to break out of a security sandbox designed to prevent user input from reaching sensitive parts of the operating system. The researchers eventually decided on a function called CallCppFunction, which Cisco Jabber uses, among other things, to open files that one user receives from another.
In total, Watchcom reported four vulnerabilities, all of which received patches when they were released in September. However, on Thursday, Watchcom researchers said the corrections were incomplete for three of them.
In a blog post, corporate researchers wrote:
Two of the vulnerabilities are caused by the ability to insert custom HTML tags into XMPP messages. The patch released in September only patched the specific injection points that Watchcom had identified. The underlying problem was not addressed. We were therefore able to find new injection points with which the security gaps can be exploited.
One of these injection points is the filename of a file sent through Cisco Jabber. The file name is specified by the name attribute of a file tag sent via XMPP. This attribute is displayed in the DOM when an incoming file transfer is received. The value of the attribute is not sanitized before it is added to the DOM, so any HTML tags can be edited into the file transfer message.
No additional security measures were in place, so it was possible to both achieve remote code execution and steal NTLM password hashes with this new injection point.
The three vulnerabilities, along with their descriptions and general ratings of the vulnerability assessment system, are:
- CVE-2020-26085: Cisco Jabber Cross-Site Scripting Leads to RCE (CVSS 9.9)
- CVE-2020-27132: Disclosure of Cisco Jabber Password Hash Theft Information (CVSS 6.5)
- CVE-2020-27127: Cisco Jabber Custom Protocol Handler Command Injection (CVSS 4.3)
The researchers recommended installing the updates as soon as possible. Until all employees are patched, companies should consider turning off all external communications. The vulnerabilities affect all currently supported versions of the Cisco Jabber client (12.1 through 12.9). Cisco has details here.