Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
1

CVE-2020-3430

Disclosure Date: September 04, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Upon installation, Cisco Jabber registers protocol handlers for a number of different protocols. These are used to tell the operating system that whenever a user clicks on a URL containing one of the custom protocols (e.g. ciscoim:test@example.com) the URL should be passed to Cisco Jabber. In this case, the protocol handlers specify that the URL should be passed as a command line flag.

These protocol handlers are vulnerable to command injection because they fail to consider URLs that contain spaces. By including a space in the URL, an attacker can inject arbitrary command line flags that will be passed to the application. Since the application uses CEF and accepts Chromium command line flags, several flags that can be used to execute arbitrary commands or load arbitrary DLLs exist. An example of such a flag is —GPU-launcher. This flag specifies a command that will be executed when CEFs GPU process is started.

This vulnerability can be combined with the XSS vulnerability to achieve code execution without transferring any files to the victim. This makes it possible to deliver malware without writing any files to disk, thus bypassing most antivirus software.

General Information

Vendors

  • Cisco

Products

  • Cisco Jabber

Additional Info

Technical Analysis

Description

On September 2, 2020, Cisco published security advisories for four vulnerabilities in their Jabber client for Windows software. The most severe of these vulnerabilities are CVE-2020-3495, a potentially wormable arbitrary code execution vulnerability that arises from improper validation of Jabber message contents, and CVE-2020-3430, a command injection vulnerability in Jabber for Windows’s protocol handler. The Watchcom security researchers who discovered the flaws demonstrated that the two vulnerabilities can be chained during exploitation to achieve remote code execution on a target system without any user interaction.

Cisco’s advisories stated that they are not aware of active exploitation of either vulnerability.

Affected products

  • Cisco Jabber for Windows < 12.1.3
  • Cisco Jabber for Windows < 12.5.2
  • Cisco Jabber for Windows < 12.6.3
  • Cisco Jabber for Windows < 12.7.2
  • Cisco Jabber for Windows < 12.8.3
  • Cisco Jabber for Windows < 12.9.1

Cisco Jabber for MacOS and mobile platforms are not affected.

CVE-2020-3495

Exploitation of CVE-2020-3495 requires an attacker to send specially-crafted Extensible Messaging and Presence Protocol (XMPP) messages to end users running the affected software. Successful exploitation allows an attacker to cause the application to run an arbitrary executable that already exists within the local file path of the application. The executable would run on the end user system with the privileges of the user who initiated the Cisco Jabber client application. The vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging. CVE-2020-3495 carries a CVSSv3 base score of 9.9.

CVE-2020-3430

Exploitation of CVE-2020-3430 requires an attacker to convince a user to click a link within a message sent by email or other messaging platform. Successful exploitation allows an attacker to execute arbitrary commands on a target system with the privileges of the user account that is running the Cisco Jabber client software. CVE-2020-3430 carries a CVSSv3 base score of 8.8.

Note: CVE-2020-3430 alone technically requires a user to click a link; however, attackers can achieve remote code execution with no user interaction required by forcing a target system to execute arbitrary code delivered via a cross-site scripting (XSS) attack enabled by CVE-2020-3495.

Rapid7 analysis

These vulnerabilities are highly useful to attackers with local or authenticated access to Jabber, even before considering the potential wormability of CVE-2020-3495. As with any corporate chat platform, organizations that rely on Jabber for employee communication and connection will likely have mandated its use across their businesses; this is particularly true during COVID-19 when employees are frequently or entirely remote. In effect, that means every user with a Jabber client for Windows is a potential attack target. Wormability further means that a single successful exploit chain could compromise large swaths of an organization.

Automating a full exploit chain for CVE-2020-3495 and CVE-2020-3430 is at least somewhat involved. However, as Watchcom demonstrated, the vulnerabilities can easily be chained manually during internal security assessments or multi-stage attacks in which attackers are able to authenticate to a Jabber network.

Guidance

There are no workarounds for these vulnerabilities. We recommend that Cisco customers using Jabber for Windows update to an unaffected version of the software as soon as possible.

References