Cisco patches critical, wormable RCE flaw in Cisco Jabber

Cisco has patched four vulnerabilities in its Jabber client for Windows, the most critical of which (CVE-2020-3495) could allow attackers to achieve remote code execution by sending specially crafted chat messages.

“No user interaction is required, and the vulnerability can be exploited even when Cisco Jabber is running in the background,” Oslo-based cybersecurity company Watchcom explained. That particular flaw is also wormable, they say.

CVE-2020-3495

Cisco Jabber is a video conferencing and instant messaging application that’s often used within enterprises for internal communication and collaboration. It’s a commercial implementation of the Extensible Messaging and Presence Protocol (XMPP).

CVE-2020-3495 affects all currently supported versions of the Jabber client for Windows (12.1 – 12.9), but not if the client is:

• In phone-only mode without XMPP messaging services enabled
• Configured to use messaging services other than XMPP messaging

“To exploit this vulnerability, an attacker must be able to send XMPP messages to end-user systems running Cisco Jabber for Windows. Attackers may require access to the same XMPP domain or another method of access to be able to send messages to clients,” Cisco explained.

“As a result of exploitation, an attacker could cause the application to run an arbitrary executable that already exists within the local file path of the application. The executable would run on the end-user system with the privileges of the user who initiated the Cisco Jabber client application.”

Watchcom researchers have provided more technical details about the flaw, and pointed out that since the Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack.

They’ve also demonstrated how CVE-2020-3495 and CVE-2020-3430 (another vulnerability they discovered) can be chained to achieve RCE through a single message:

The other three flaws

CVE-2020-3430 is a protocol handler command injection vulnerability that, on its own, can be exploited by an unauthenticated, remote attacker that manages to convince a user to click a link within a message sent by email or other messaging platform. A successful exploit leads to RCE.

CVE-2020-3498 and CVE-2020-3537 are information disclosure vulnerabilities that could only be leveraged remotely by an authenticated attacker.

“These do not allow remote code execution but can be exploited to collect NTLM password hashes from unsuspecting users,” Watchcom researchers noted.

As there are no workarounds for any of the aforementioned flaws, organizations that have deployed Cisco Jabber are advised to update to one of the fixed versions (12.1.3, 12.5.2, 12.6.3, 12.7.2, 12.8.3 or 12.9.1) as soon as possible.

The good news is, though, that the Cisco Product Security Incident Response Team is not aware of any public announcements or malicious use of any of these flaws, but that could change soon – so get patching!