Critical RCE flaw in Cisco Jabber lets attackers targets Windows System Remotely

Networking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging application for Windows that includes patches for multiple vulnerabilities which allows an authenticated remote attacker to execute arbitrary code on the victims machine. Cisco Jabber for Windows is a desktop collaboration application designed to provide users with presence, instant messaging (IM), desktop sharing, cloud messaging as well as audio, video, and web conferencing. 

The bug was identified and reported by Olav Sortland Thoresen of Watchcom. The Cisco Product Security Incident Response Team (PSIRT) says that the vulnerability is not currently exploited in the wild. The security flaw tracked as CVE-2020-3495 having CVSS base score of 9.9 from Cisco. The issue is caused by improper input validation of incoming messages' contents.

All versions are affected from this Flaw

According to Cisco, This vulnerability could allow authenticated, remote attackers to execute arbitrary code on systems running the Cisco Jabber client software with the privileges of the user account after the successful exploitation using maliciously-crafted Extensible Messaging and Presence Protocol (XMPP) messages. To exploit this bug, No user interaction is required. This flaw also being exploitable when the Jabber for Windows client is running in the background. Attackers are required to have access to their victim's XMPP domains to send the malicious XMPP messages needed to successfully exploit this flaw. 

As a result of exploitation, a threat actor could cause the application to run an arbitrary executable that already exists within the local file path of the application. The executable files would run on the end-user system with the privileges of the user who initiated the Cisco Jabber client application." Cisco added.

Systems with Jabber for Windows configured in phone-only mode and other messaging services are not vulnerable to exploitation. This flaw does not impact Cisco Jabber for macOS or mobile platforms, and only it affects all currently supported versions of the Windows Cisco Jabber client (12.1 - 12.9) as listed in the table embedded below.

Proof of Concept 

As Watchcom's Olav Sortland Thoresen explains in their report in more details on CVE-2020-3495, athreat actors can also automate the exploitation process to create a worm capable of spreading automatically to new devices. Since Cisco Jabber supports file transfers, a threat actor can initiate a file transfer containing a malicious .exe file and force the victim to accept it using a Cross-Site Scripting (XSS) attack, then executing the malicious file on a targeted victim's machine. 

Cisco Jabber exploit demo POC by Watchcom

The video conferencing apps becoming popular in the rise of the pandemic, it's essential that Jabber users update the software to the latest version to mitigate the risk of this vulnerability. Given their newfound prevalence in organizations of all sizes, these applications are becoming an increasingly attractive target for attackers. A lot of sensitive information is shared over the internet through video calls or instant messages and the applications are used by the majority of employees, including those that have privileged access to other IT systems.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post