Zero-Click Wormable RCE Vulnerability in Cisco Jabber Gets Fixed, Again

Cisco Jabber

A series of bugs, patched in September, still allow remote code execution by attackers.

Cisco Systems released an updated patch for a critical vulnerability in its video and instant messaging platform Jabber, originally patched in September. The cross-site scripting bug could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target’s system running the Jabber application.

This critical bug “does not require user interaction and is wormable, since the payload is delivered via an instant message,” said the researchers at Watchcom who found the flaw. “This means that it can be used to automatically spread malware without any user interaction,” they told Threatpost on Thursday.

The bug impacts Cisco Jabber for Windows, Jabber for MacOS and the Jabber for mobile platforms. The flaw (CVE-2020-26085) has a CVSS score of 9.9 out of 10, making it critical in severity. Researchers with Watchcom, who discovered the flaw, said at the time of the original discovery the implications of the vulnerability are especially serious given the current pandemic-driven work-from-home trend.

Two additional flaws, also patched in September, were also patched Thursday. Researchers at Watchcom, that originally found three of the bugs patched by Cisco, said they identified new ways to exploit the same flaws. Cisco also released additional patches, on Thursday, for high-severity bugs opening up Jabber to remote attackers to execute arbitrary commands on a targeted systems.

Threatpost Webinar Promo Bug Bounty

Click to register.

Watchcom and Cisco both said they were not aware of any active exploitation of any of the bugs in the wild.

Patch, Update, Patch and Repeat

The Cisco Jabber vulnerabilities that are still open to exploitation are a cross-site scripting bug leading to RCE (CVE-2020-26085), with a 9.9 CVSS rating. The second is a password hash stealing information disclosure flaw (CVE-2020-27132), with a CVSS 6.5 severity rating. Cisco has also patched a custom protocol handler command injection vulnerability (CVE-2020-27133), rated high-severity with an CVSS rating of 8.8. An information disclosure vulnerability (CVE-2020-27132), with a CVSS rating of medium, was also patched. Lastly, there is the protocol handler command injection vulnerability (CVE-2020-27127), with a CVSS severity-rating of 4.3.

Updated patches are available via Cisco’s Security Advisories support site.

“Cisco released a patch that fixed the injection points we reported, but the underlying problem has not been fixed,” wrote Watchcom researchers about the three vulnerabilities it identified (CVE-2020-26085, CVE-2020-27132, CVE-2020-27127) in September and re-identified as vulnerable to attack.

“We were able to find new injection points that could be used to exploit the vulnerabilities. All currently supported versions of the Cisco Jabber client (12.1 – 12.9) are affected. The three vulnerabilities have been assigned new CVE numbers to distinguish them from the vulnerabilities disclosed in September,” researchers wrote.

Both the original discovery of the vulnerabilities and the ‘re-discovery’ were made during security audits for a client, researchers said.

Nightmare Attack Scenario

In order to exploit these vulnerabilities, all a hacker needs to be able to send a Jabber chat message to the victim, Watchcom describes.

“This could happen if the targeted company allows adding contacts outside of the organization or if the attacker gains access to an employee’s Jabber username and password,” researchers wrote. “Once the attacker is able to send chat messages, he can take full control over the computers of everyone in the organization. The person receiving the message does not have to do anything, the attackers malicious code will run automatically once the message is received.”

To exploit the two Jabber message handling vulnerabilities (CVE-2020-26085, CVE-2020-27132) an attacker would need to send an Extensible Messaging and Presence Protocol (XMPP) message to a system running the Cisco Jabber client. “Attackers may require access to the same XMPP domain or another method of access to be able to send messages to clients,” Cisco noted.

Next, an attacker can cause the Jabber application to “run an arbitrary executable that already exists within the local file path of the application,” researchers said. The executable would run on the end-user system with the privileges of the user who initiated the Cisco Jabber client application, Watchcom wrote. Systems using Cisco Jabber in phone-only mode without XMPP messaging services enabled are not vulnerable to exploitation.

Breaking Down the Bugs

The most serious of the bugs (CVE-2020-26085), a cross-site scripting flaw, impacts Cisco Jabber for Windows and Cisco Jabber for MacOS. The flaw allow an authenticated, remote attacker to execute programs on a targeted system.

“The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution,” Cisco wrote.

Watchcom said that flaw can be exploited to achieve RCE by escaping the client’s Chromium-based sandbox. Worse, is the fact the attack vector would be zero-click, wormable via an instant message and can be used to automatically spread malware without any user interaction.

The high-severity bug, tracked as CVE-2020-27134 by Cisco, is a message handling script injection vulnerability. Vulnerable is the Cisco Jabber for Windows, MacOS, and mobile platforms. The bug allows an authenticated, remote attacker to inject arbitrary script and potentially execute arbitrary commands on some platforms, Cisco said.

“The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. By convincing a targeted user to interact with a message, an attacker could inject arbitrary script code within the Jabber message window interface,” according to the Cisco bulletinCisco explained the vulnerabilities are not dependent on one another. “Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities,” it wrote in its  Cisco Security Advisory Thursday.

A second high-severity bug (CVE-2020-27133), effecting Cisco Jabber for Windows, is tied to improper handling of input to the application protocol handlers. According to Cisco, this could allow an unauthenticated, remote attacker to execute arbitrary commands.

“An attacker could exploit this vulnerability by convincing a user to click a link within a message sent by email or other messaging platform. A successful exploit could allow the attacker to execute arbitrary commands on a targeted system with the privileges of the user account that is running the Cisco Jabber client software,” Cisco said.

Discover, Disclosure Timeline

Watchcom said the timeline for the vulnerabilities (CVE-2020-26085, CVE-2020-27132, CVE-2020-27127) it originally found and then rediscovered is:

  • 2nd September 2020: Original vulnerabilities publicly disclosed. Patches released by Cisco.
  • 25th September 2020: New vulnerabilities discovered and reported to Cisco PSIRT. Case number assigned by Cisco. Issue forwarded to the Cisco Jabber engineering team.
  • 12th October 2020: Vulnerabilities confirmed by Cisco.
  • 12th October 2020 – 10th December 2020: Patches developed.
  • 10th December 2020: Patches released. Vulnerabilities publicly disclosed.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles