Getty Images
Cisco has severely compromised its powerful conferencing and messaging application, making it possible for attackers to run malicious code that can be used to spread from computer to computer without any user interaction. Again.
The vulnerability, which was first revealed in September, was the result of a number of errors discovered by researchers at the security firm and Watch Chacom Security. First, the application failed to properly filter out potentially malicious content contained in user-sent messages. The filter was based on an incomplete block block cluster that can be bypassed using a programming feature called Onimation Start.
Messages that contain a feature are passed directly to the DOM of the embedded browser. Because the browser was based on the Chromium embedded framework, it will implement any scripts that it has created through filters.
Bypassing the filter, researchers still have to find a way out of the safety sandbox designed to prevent user input from reaching sensitive parts of the operating system. Researchers eventually settled on a function called the CLQP function, which Cisco Jabbar uses, among other things, to open files obtained by one user from another.
Overall, VCom Chacom reported four vulnerabilities, all of which received patches at the same time, which was announced in September. On Thursday, however, Wakcom Chacom researchers said improvements to three of them were incomplete.
In a blog post, company researchers wrote:
Two vulnerabilities are caused by the ability to inject custom HTML texts into XMPP messages. The patch, released in September, contained only specific injection points identified by the WatchChock. The underlying issue was not taken into account. So we were able to find new injection points that could be used to exploit vulnerabilities.
One of these injection points is the filename of the file sent by Cisco Jabbar. The filename is specified by the name tag of the file tag sent to XMPP. This feature is displayed in the DOM when an incoming file transfer is received. The value of the feature is not refined before it is added to the DOM, making it possible to manipulate arbitrary HTML tags into the file transfer message.
No additional security measures were put in place and so it was possible to obtain both remote code execution and steal the NTLM password hash using this new injection point.
Here are three vulnerabilities, with their descriptions and general vulnerability scoring system ratings:
- CVE-2020-26085: Cisco Jabbar cross-site scripting that leads to RCE (CVSS 9.9)
- CVE-2020-27132: Cisco Jabbar Password Hash Theft Information (CVSS 6.5)
- CVE-2020-27127: Cisco Jabbar Custom Protocol handler command injection (CVSS 4.3)
Researchers recommend that updates be installed as soon as possible. Organizations should consider disabling all external communications until all employees arrive. Weaknesses currently affect all supported versions of the Cisco Jabber client (12.1 to 12.9). Here are the details of Cisco.
