Very High
CVE-2020-3430
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-3430
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A vulnerability in the application protocol handling features of Cisco Jabber for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands. The vulnerability is due to improper handling of input to the application protocol handlers. An attacker could exploit this vulnerability by convincing a user to click a link within a message sent by email or other messaging platform. A successful exploit could allow the attacker to execute arbitrary commands on a targeted system with the privileges of the user account that is running the Cisco Jabber client software.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
Please see CVE-2020-3495 for an example exploit chain.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- cisco
Products
- jabber
References
Additional Info
Technical Analysis
Description
On September 2, 2020, Cisco published security advisories for four vulnerabilities in their Jabber client for Windows software. The most severe of these vulnerabilities are CVE-2020-3495, a potentially wormable arbitrary code execution vulnerability that arises from improper validation of Jabber message contents, and CVE-2020-3430, a command injection vulnerability in Jabber for Windows’s protocol handler. The Watchcom security researchers who discovered the flaws demonstrated that the two vulnerabilities can be chained during exploitation to achieve remote code execution on a target system without any user interaction.
Cisco’s advisories stated that they are not aware of active exploitation of either vulnerability.
Affected products
- Cisco Jabber for Windows < 12.1.3
- Cisco Jabber for Windows < 12.5.2
- Cisco Jabber for Windows < 12.6.3
- Cisco Jabber for Windows < 12.7.2
- Cisco Jabber for Windows < 12.8.3
- Cisco Jabber for Windows < 12.9.1
Cisco Jabber for MacOS and mobile platforms are not affected.
CVE-2020-3495
Exploitation of CVE-2020-3495 requires an attacker to send specially-crafted Extensible Messaging and Presence Protocol (XMPP) messages to end users running the affected software. Successful exploitation allows an attacker to cause the application to run an arbitrary executable that already exists within the local file path of the application. The executable would run on the end user system with the privileges of the user who initiated the Cisco Jabber client application. The vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging. CVE-2020-3495 carries a CVSSv3 base score of 9.9.
CVE-2020-3430
Exploitation of CVE-2020-3430 requires an attacker to convince a user to click a link within a message sent by email or other messaging platform. Successful exploitation allows an attacker to execute arbitrary commands on a target system with the privileges of the user account that is running the Cisco Jabber client software. CVE-2020-3430 carries a CVSSv3 base score of 8.8.
Note: CVE-2020-3430 alone technically requires a user to click a link; however, attackers can achieve remote code execution with no user interaction required by forcing a target system to execute arbitrary code delivered via a cross-site scripting (XSS) attack enabled by CVE-2020-3495.
Rapid7 analysis
These vulnerabilities are highly useful to attackers with local or authenticated access to Jabber, even before considering the potential wormability of CVE-2020-3495. As with any corporate chat platform, organizations that rely on Jabber for employee communication and connection will likely have mandated its use across their businesses; this is particularly true during COVID-19 when employees are frequently or entirely remote. In effect, that means every user with a Jabber client for Windows is a potential attack target. Wormability further means that a single successful exploit chain could compromise large swaths of an organization.
Automating a full exploit chain for CVE-2020-3495 and CVE-2020-3430 is at least somewhat involved. However, as Watchcom demonstrated, the vulnerabilities can easily be chained manually during internal security assessments or multi-stage attacks in which attackers are able to authenticate to a Jabber network.
Guidance
There are no workarounds for these vulnerabilities. We recommend that Cisco customers using Jabber for Windows update to an unaffected version of the software as soon as possible.
References
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: