In September 2020, Cisco patched four Jabber vulnerabilities (including one wormable RCE flaw), but as it turns out, three of four have not been sufficiently mitigated.
The incompleteness of the patches was discovered by Watchcom researchers – who discovered and disclosed the batch of vulnerabilities made public in September – after one of their clients requested they verify the effectiveness of Cisco’s patches.
A wormable Jabber RCE and more
“Cisco released a patch that fixed the injection points we reported, but the underlying problem has not been fixed. As such, we were able to find new injection points that could be used to exploit the vulnerabilities,” the researchers explained.
The three old/new vulnerabilities received new CVEs (but have the same impact as the original ones):
- CVE-2020-26085: Cisco Jabber Cross-Site Scripting leading to RCE
- CVE-2020-27132: Cisco Jabber Password Hash Stealing Information Disclosure
- CVE-2020-27127: Cisco Jabber Custom Protocol Handler Command Injection
Of these, the first one is the most critical and duly received a CVSS score of 9.9, as it can be used by an unauthenticated attacker to achieve RCE, requires no user interaction, is wormable, and can be exploited by sending an instant message.
The other two may allow the collection of NTLM password hashes from unsuspecting users (also via an instant message) and command injection. More technical information about each can be found here.
Cisco has also, in the meantime, discovered two other vulnerabilities that has patched along with these: CVE-2020-27134, a message handling script injection flaw, and CVE-2020-27133, a custom protocol handler command injection vulnerability.
“The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability,” Cisco explained.
Cisco Jabber is a popular video conferencing and instant messaging application that’s often used within enterprises for internal communication and collaboration.
Cisco has pushed out security updates for for the Windows, macOS, Android and iOS clients/apps, and is urging users to implement them as there are no workarounds available.
The good news is that there is no indication these are currently being exploited in the wild, though there are tantalizing targets that use it:
I trust that European officials had Cisco Jabber's videoconferencing software swiftly updated by the IT management, automatically. Less clear is what happens with personal devices. Almost every EU official has or had this stuff installed on personal devices, esp. due to Covid. https://t.co/JX5wVma2Qb
— Lukasz Olejnik (@lukOlejnik) December 12, 2020
“The continued existence of these vulnerabilities, even after the first patch, highlight the complexity of modern software and the challenges developers face when trying to secure it. When choosing to use frameworks such as CEF, it is important to consider their security implications. Security should also be considered in every step of the development process, both in the initial planning stages as well as during implementation and maintenance,” Watchcom researchers pointed out.
“This also serves as a reminder that software acquired from external vendors also pose a risk to organizations’ IT-security. It is important to be aware of these risks and take steps to mitigate them. Watchcom recommends regular audits of third-party software for security vulnerabilities.”