Cisco Jabber for Windows is a desktop collaboration client that integrates users with presence, audion, video and web conferencing, instant messaging (IM), cloud messaging, and desktop sharing.
The vulnerability was discovered by the security researchers Olav Sortland Thoresen from Watchcom.
The CVE-2020-3495 flaw is caused by the improper input validation of incoming messages’ contents, it could be exploited by an authenticated, remote attacker to execute arbitrary code with the privileges of the user account that is running the Cisco Jabber client software.
“The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to the affected software.” reads the security advisory published by Cisco. “A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution.”
An authenticated, remote attacker can exploit the flaw by sending specially-crafted Extensible Messaging and Presence Protocol (XMPP) messages to vulnerable devices.
The CVE-2020-3495 flaw can be also exploited when the Jabber for Windows client is running in the background, in any case no user interaction is required to trigger the issue.
“To exploit this vulnerability, an attacker must be able to send XMPP messages to end-user systems running Cisco Jabber for Windows. Attackers may require access to the same XMPP domain or another method of access to be able to send messages to clients.” continues the advisory.
“As a result of exploitation, an attacker could cause the application to run an arbitrary executable that already exists within the local file path of the application.” “The executable would run on the end-user system with the privileges of the user who initiated the Cisco Jabber client application.”
According to the advisory, systems using Cisco Jabber in phone-only mode without XMPP messaging services enabled are not vulnerable to attacks exploiting this issue. Cisco also added that the vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging.
The vulnerability affects all currently supported versions of the Windows Cisco Jabber client (12.1 to 12.9).
The Cisco Product Security Incident Response Team (PSIRT) confirmed that it is not aware of attacks in the wild exploiting the vulnerability.
According to Thoresen the vulnerability is warmable and its exploitation could be automated.
“The most severe vulnerability is also wormable, meaning that it can be used to automatically spread malware without any user interaction.” reads the analysis published by the expert.
“Since Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack. The attacker can then trigger a call to window.CallCppFunction, causing the malicious file to be executed on the victim´s machine.”
(SecurityAffairs – hacking, Jabber)