Description

On September 2, 2020, Cisco published security advisories for four vulnerabilities in their Jabber client for Windows software. The most severe of these vulnerabilities are CVE-2020-3495, a potentially wormable arbitrary code execution vulnerability that arises from improper validation of Jabber message contents, and CVE-2020-3430, a command injection vulnerability in Jabber for Windows’s protocol handler. The Watchcom security researchers who discovered the flaws demonstrated that the two vulnerabilities can be chained during exploitation to achieve remote code execution on a target system without any user interaction.

Cisco’s advisories stated that they are not aware of active exploitation of either vulnerability.

Affected products

• Cisco Jabber for Windows < 12.1.3
  
• Cisco Jabber for Windows < 12.5.2
  
• Cisco Jabber for Windows < 12.6.3
  
• Cisco Jabber for Windows < 12.7.2
  
• Cisco Jabber for Windows < 12.8.3
  
• Cisco Jabber for Windows < 12.9.1
  

Cisco Jabber for MacOS and mobile platforms are not affected.

CVE-2020-3495

Exploitation of CVE-2020-3495 requires an attacker to send specially-crafted Extensible Messaging and Presence Protocol (XMPP) messages to end users running the affected software. Successful exploitation allows an attacker to cause the application to run an arbitrary executable that already exists within the local file path of the application. The executable would run on the end user system with the privileges of the user who initiated the Cisco Jabber client application. The vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging. CVE-2020-3495 carries a CVSSv3 base score of 9.9.

CVE-2020-3430

Exploitation of CVE-2020-3430 requires an attacker to convince a user to click a link within a message sent by email or other messaging platform. Successful exploitation allows an attacker to execute arbitrary commands on a target system with the privileges of the user account that is running the Cisco Jabber client software. CVE-2020-3430 carries a CVSSv3 base score of 8.8.

Note: CVE-2020-3430 alone technically requires a user to click a link; however, attackers can achieve remote code execution with no user interaction required by forcing a target system to execute arbitrary code delivered via a cross-site scripting (XSS) attack enabled by CVE-2020-3495.

Rapid7 analysis

These vulnerabilities are highly useful to attackers with local or authenticated access to Jabber, even before considering the potential wormability of CVE-2020-3495. As with any corporate chat platform, organizations that rely on Jabber for employee communication and connection will likely have mandated its use across their businesses; this is particularly true during COVID-19 when employees are frequently or entirely remote. In effect, that means every user with a Jabber client for Windows is a potential attack target. Wormability further means that a single successful exploit chain could compromise large swaths of an organization.

Automating a full exploit chain for CVE-2020-3495 and CVE-2020-3430 is at least somewhat involved. However, as Watchcom demonstrated, the vulnerabilities can easily be chained manually during internal security assessments or multi-stage attacks in which attackers are able to authenticate to a Jabber network.

Guidance

There are no workarounds for these vulnerabilities. We recommend that Cisco customers using Jabber for Windows update to an unaffected version of the software as soon as possible.

References

• https://watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/
  
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg
  
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-vY8M4KGB