Getty Pictures
Cisco has patched its Jabber conferencing and messaging utility in opposition to a crucial vulnerability that made it attainable for attackers to execute malicious code that will unfold from pc to pc with no person interplay required. Once more.
The vulnerability, which was first disclosed in September, was the results of a number of flaws found by researchers at safety agency Watchcom Safety. First, the app didn’t correctly filter doubtlessly malicious parts contained in user-sent messages. The filter was primarily based on an incomplete blocklist that may very well be bypassed utilizing a programming attribute generally known as onanimationstart.
Messages that contained the attribute handed on to DOM of an embedded browser. As a result of the browser was primarily based on the Chromium Embedded Framework, it could execute any scripts that made it by the filter.
With the filter bypassed, the researchers nonetheless needed to discover a approach to get away of a safety sandbox that’s designed to maintain person enter from reaching delicate elements of the working system. The researchers ultimately settled on a perform known as CallCppFunction, which amongst different issues Cisco Jabber makes use of to open recordsdata one person receives from one other.
In all, Watchcom reported 4 vulnerabilities, all of which acquired patches on the identical time they have been disclosed in September. On Thursday, nonetheless, the Watchcom researchers stated fixes for 3 of them have been incomplete.
In a blog post, firm researchers wrote:
Two of the vulnerabilities are brought on by the flexibility to inject customized HTML tags into XMPP messages. The patch launched in September solely patched the precise injection factors that Watchcom had recognized. The underlying difficulty was not addressed. We have been subsequently capable of finding new injection factors that may very well be used to use the vulnerabilities.
One in all these injection factors is the filename of a file despatched by Cisco Jabber. The filename is specified by the identify attribute of a file tag despatched over XMPP. This attribute is displayed within the DOM when an incoming file switch is acquired. The worth of the attribute shouldn’t be sanitized earlier than being added to the DOM, making it attainable to inject arbitrary HTML tags into the file switch message by manipulating it.
No extra safety measures had been put in place and it was subsequently attainable to each acquire distant code execution and steal NTLM password hashes utilizing this new injection level.
The three vulnerabilities, together with their descriptions and customary vulnerability scoring system scores are:
- CVE-2020-26085: Cisco Jabber Cross-Website Scripting resulting in RCE (CVSS 9.9)
- CVE-2020-27132: Cisco Jabber Password Hash Stealing Data Disclosure (CVSS 6.5)
- CVE-2020-27127: Cisco Jabber Customized Protocol Handler Command Injection (CVSS 4.3)
The researchers really helpful that the updates be put in as quickly as attainable. Till all staff are patched, organizations ought to contemplate disabling all exterior communications. The vulnerabilities have an effect on all at the moment supported variations of the Cisco Jabber consumer (12.1 by 12.9). Cisco has particulars here.
