Cisco has once again fixed four previously disclosed critical bugs in its Jabber video conferencing and messaging app that were inadequately addressed, leaving its users susceptible to remote attacks.
The vulnerabilities, if successfully exploited, could allow an authenticated, remote attacker to execute arbitrary code on target systems by sending specially-crafted chat messages in group conversations or specific individuals.
They were reported to the networking equipment maker on September 25 by Watchcom, three weeks after the Norwegian cybersecurity firm publicly disclosed multiple security shortcomings in Jabber that were found during a penetration test for a client in June.
The new flaws, which were uncovered after one of its clients requested a verification audit of the patch, affects all currently supported versions of the Cisco Jabber client (12.1 – 12.9).
“Three of the four vulnerabilities Watchcom disclosed in September have not been sufficiently mitigated,” Watchcom said in a report published today. “Cisco released a patch that fixed the injection points we reported, but the underlying problem has not been fixed. As such, we were able to 7ind new injection points that could be used to exploit the vulnerabilities.”
Most critical among the flaws is CVE-2020-26085 (similar to CVE-2020-3495), which has a severity rating of 9.9 out of 10, a zero-click cross-site scripting (XSS) vulnerability that can be used to achieve remote code execution by escaping the CEF sandbox.
CEF or Chromium Embedded Framework is an open-source framework that’s used to embed a Chromium-based web browser within other apps.
While the embedded browser is sandboxed to prevent unauthorized access to files, the researchers found a way to bypass the protections by abusing the window.CallCppFunction, which is designed to open files sent by other Cisco Jabber users.
All an adversary has to do is initiate a file transfer containing a malicious “.exe” file and force the victim to accept it using an XSS attack, then trigger a call to the aforementioned function, causing the executable to be run on the victim’s machine.
Worse, this vulnerability doesn’t require user interaction and is wormable, meaning it can be used to automatically spread the malware to other systems by disguising the payload in a chat message.
A second flaw, CVE-2020-27132, stems from the way it parses HTML tags in XMPP messages, an XML-based communications protocol used for facilitating instant messaging between any two or more network entities.
Due to the lack of proper sanitization of these tags, a harmless file transfer message can be manipulated by injecting, say, an image HTML tag pointing to a malicious URL or even execute malicious JavaScript code.
“No additional security measures had been put in place and it was therefore possible to both gain remote code execution and steal NTLM password hashes using this new injection point,” the researchers said.
The third and final vulnerability (CVE-2020-27127) is a command injection flaw concerning protocol handlers, which are used to inform the operating system to open specific URLs (e.g., XMPP://, IM://, and TEL://) in Jabber, making it possible for an attacker to insert arbitrary command-line flags by simply including a space the URL.
Given the self-replicating nature of the attacks, it’s advised that Jabber users update to the latest version of the software to mitigate the risk.
Watchcom also recommends that organizations consider disabling communication with external entities through Cisco Jabber until all employees have installed the update.