Cisco has fortified its Jabber conferencing and messaging application against a critical vulnerability that makes it possible for attackers to run malicious code that will spread from computer to computer without the required user interaction. Again.
The vulnerability, which was first revealed in September, is the result of several flaws discovered by researchers at the security company Watchcom Security. First, the application fails to properly filter the malicious elements contained in the messages sent by the user. The filter is based on an incomplete block list that can be passed by using the programming attribute known as onanimationstart.
Messages with the attribute are passed directly to DOM of an embedded browser. Because the browser is based on the Chromium Embedded Framework, it will run any scripts that run through the filter.
With the filter passed, researchers still have to find a way to break out of the security sandbox designed to allow user input to reach sensitive parts of the operating system. The researchers eventually settled on a function called CallCppFunction, which among other things Cisco Jabber uses to open files that one user receives from another.
In all, Watchcom reported four vulnerabilities, all of which received patches at the same time they were revealed in September. On Thursday, however, Watchcom investigators said the corrections for three of them were incomplete.
In a blog postcompany researchers wrote:
Two of the vulnerabilities are caused by the ability to insert custom HTML tags into XMPP messages. The patch released in September only hides specific injection sites that Watchcom has identified. The text in the background is out of focus. So be able to find new injection points that can be used to exploit the vulnerabilities.
One of these injection fields is the file name of the file sent by Cisco Jabber. The filename is specified by the name attribute of the filename sent over XMPP. This behavior appears in the DOM when an incoming file transfer is received. The value of the element is not known before it is added to the DOM, making it possible to insert arbitrary HTML tags into the file transfer message by manipulation.
No additional security measures have been installed and it is possible to both gain remote code execution and steal NTLM password hashes using this new injection site.
The three vulnerabilities, along with their descriptions and common vulnerability assessment system ratings are:
- CVE-2020-26085: Cisco Jabber Cross-Site exploit leading to RCE (CVSS 9.9)
- CVE-2020-27132: Cisco Jabber Password Hash Information Theft Notification (CVSS 6.5)
- CVE-2020-27127: Cisco Jabber Custom Protocol Handler command injection (CVSS 4.3)
Researchers recommend that updates be installed as soon as possible. Until all employees are eliminated, organizations should consider eliminating all external communications. The vulnerabilities affect all currently supported versions of the Cisco Jabber client (12.1 through 12.9). Cisco has the details Here.