Cisco has raised an alert for customers using its Jabber video and instant-messaging client to patch four security flaws, including one critical bug that’s wormable.
Without the latest patch, the Jabber for Windows client allows a remote attacker to exploit the flaw by sending rigged XML-based Extensible Messaging and Presence Protocol (XMPP) messages to the vulnerable Jabber client, according to Cisco.
Such an attack also poses a threat to the Windows system the Jabber client is running on.
SEE: Security Awareness and Training policy (TechRepublic Premium)
“A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution,” Cisco notes.
The bug only affects vulnerable versions of the Cisco Jabber client for Windows that have XMPP messaging services enabled.
The flaw, tracked as CVE-2020-3495, has a severity rating of 9.9 out of 10 and should be patched immediately, given a report by Norwegian pen-tester Olav Sortland Thoresen of Watchcom, who discovered the flaws.
He’s published a detailed account of the four flaws and the design of Jabber, which is based on the Chromium Embedded Framework (CEF). CEF allows developers to embed a natively sandboxed Chromium-based web browser in their applications.
The one critical Jabber flaw allows an attacker to create a worm that spreads malware automatically between Jabber users without requiring user interaction, according to Thoresen.
“Cisco Jabber is vulnerable to Cross Site Scripting (XSS) through XHTML-IM messages. The application does not properly sanitize incoming HTML messages and instead passes them through a flawed XSS filter,” he explains.
“Cisco Jabber uses XHTML-IM by default for all messages. A malicious message can therefore easily be created by intercepting an XMPP message sent by the application and modifying it. Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically.”
While the embedded browser is sandboxed to prevent access to files and performing system calls, he notes developers create ways to bypass the sandbox to add functionality, in this case to allow the client to open files received from other Cisco Jabber users.
“Since Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack,” explained Thoresen.
“The attacker can then trigger a call to window.CallCppFunction, causing the malicious file to be executed on the victim’s machine.”
Thoresen says organizations using Cisco Jabber should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. He’s also provided some indicators that security teams should be watchful for:
- XMPP messages with unusual HTML content
- Invocations of CiscoJabber.exe with unusual flags
- Unusual sub-processes of CiscoJabber.exe
- Malicious files being sent through Cisco Jabber’s file-sharing feature