Attacker Value
High
(2 users assessed)
Exploitability
Moderate
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2020-3495

Disclosure Date: September 04, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution.

Add Assessment

2
Ratings
Technical Analysis

This XSS combined with CVE-2020-3430, a protocol handler RCE vulnerability, is a potent combination.

Note that this attack requires intercepting/sending a crafted message to a recipient. It does not, however, require their interaction. If an attacker has local access to Jabber or is otherwise authenticated to a Jabber network, this isn’t a stretch.

Please patch this in your corporate networks! Attackers have been known to read IM messages and even send phishing links through them. This is worse, since it’s potentially wormable RCE… if you use Jabber at all. :–)

-1
Ratings
Technical Analysis

It is doesn’t user interaction and

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • cisco

Products

  • jabber

Additional Info

Technical Analysis

Description

On September 2, 2020, Cisco published security advisories for four vulnerabilities in their Jabber client for Windows software. The most severe of these vulnerabilities are CVE-2020-3495, a potentially wormable arbitrary code execution vulnerability that arises from improper validation of Jabber message contents, and CVE-2020-3430, a command injection vulnerability in Jabber for Windows’s protocol handler. The Watchcom security researchers who discovered the flaws demonstrated that the two vulnerabilities can be chained during exploitation to achieve remote code execution on a target system without any user interaction.

Cisco’s advisories stated that they are not aware of active exploitation of either vulnerability.

Affected products

  • Cisco Jabber for Windows < 12.1.3
  • Cisco Jabber for Windows < 12.5.2
  • Cisco Jabber for Windows < 12.6.3
  • Cisco Jabber for Windows < 12.7.2
  • Cisco Jabber for Windows < 12.8.3
  • Cisco Jabber for Windows < 12.9.1

Cisco Jabber for MacOS and mobile platforms are not affected.

CVE-2020-3495

Exploitation of CVE-2020-3495 requires an attacker to send specially-crafted Extensible Messaging and Presence Protocol (XMPP) messages to end users running the affected software. Successful exploitation allows an attacker to cause the application to run an arbitrary executable that already exists within the local file path of the application. The executable would run on the end user system with the privileges of the user who initiated the Cisco Jabber client application. The vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging. CVE-2020-3495 carries a CVSSv3 base score of 9.9.

CVE-2020-3430

Exploitation of CVE-2020-3430 requires an attacker to convince a user to click a link within a message sent by email or other messaging platform. Successful exploitation allows an attacker to execute arbitrary commands on a target system with the privileges of the user account that is running the Cisco Jabber client software. CVE-2020-3430 carries a CVSSv3 base score of 8.8.

Note: CVE-2020-3430 alone technically requires a user to click a link; however, attackers can achieve remote code execution with no user interaction required by forcing a target system to execute arbitrary code delivered via a cross-site scripting (XSS) attack enabled by CVE-2020-3495.

Rapid7 analysis

These vulnerabilities are highly useful to attackers with local or authenticated access to Jabber, even before considering the potential wormability of CVE-2020-3495. As with any corporate chat platform, organizations that rely on Jabber for employee communication and connection will likely have mandated its use across their businesses; this is particularly true during COVID-19 when employees are frequently or entirely remote. In effect, that means every user with a Jabber client for Windows is a potential attack target. Wormability further means that a single successful exploit chain could compromise large swaths of an organization.

Automating a full exploit chain for CVE-2020-3495 and CVE-2020-3430 is at least somewhat involved. However, as Watchcom demonstrated, the vulnerabilities can easily be chained manually during internal security assessments or multi-stage attacks in which attackers are able to authenticate to a Jabber network.

Guidance

There are no workarounds for these vulnerabilities. We recommend that Cisco customers using Jabber for Windows update to an unaffected version of the software as soon as possible.

References