Cisco takes a second stab at fixing critical flaws in its Jabber IM client that it first disclosed in September.
Cisco has unrolled patches for several critical flaws affecting the Jabber clients for Windows, MacOS, and therefore the mobile apps for iOS and Android.
The flaws are bad, with the worst having a severity rating of 9.9 out of a possible 10. What’s worse, the issues were meant to possess been fixed three months ago in updates for Jabber, shortly after researchers released proof-of-concept exploit code for the wormable bugs, which may be exploited via a moment message.
Jabber is Cisco’s widely-used enterprise chat and instant-messaging platform, which it acquired in 2008. The app is predicated on the Chromium Embedded Framework (CEF), which allows developers to embed a natively sandboxed Chromium-based browser in their applications.
Cisco says the bugs allow an attacker to “execute arbitrary programs on the underlying OS with elevated privileges or gain access to sensitive information”. Customers haven’t any other option but to put in the newest updates to stop attacks.
Norwegian security outfit Watchcom found earlier this year that Jabber was susceptible to cross-site scripting (XSS) through XHTML-IM messages. Jabber didn’t properly sanitize incoming HTML messages and instead passed them through a faulty XSS filter.
Cisco notes that the new message-handling vulnerabilities are often exploited if an attacker can send Extensible Messaging and Presence Protocol (XMPP) messages to end-user systems running Cisco Jabber.
“Attackers may require access to an equivalent XMPP domain or another method of access to be ready to send messages to clients,” Cisco notes in an advisory.
The three incompletely fixed bugs are tracked as CVE-2020-26085, CVE-2020-27127, and CVE-2020-27132.
Watchcom reported four vulnerabilities to Cisco earlier this year, and that they were disclosed by the networking giant in September. But three of them weren’t properly fixed in updates at the time, consistent with Watchcom.
Watchcom probed the patches after a client requested an audit to see that the bugs had been sufficiently mitigated in Cisco’s existing patches. It found the bugs weren’t mitigated.
Two of the three improperly patched bugs are often wont to gain remote code execution. one among them also can be wont to gain NT LAN Manager (NTLM) password hashes from users.
“Two of the vulnerabilities are caused by the power to inject custom HTML tags into XMPP messages,” explains Watchcom’s penetration tester, Olav Sortland Thoresen.
“The patch released in September only patched the precise injection points that Watchcom had identified. The underlying issue wasn’t addressed. We were therefore ready to find new injection points that would be wont to exploit the vulnerabilities.
“Since a number of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update,” he added.
Cisco also found two additional bugs in Jabber during internal testing. they’re tracked as CVE-2020-27133 and CVE-2020-27134.
CVE-2020-27134 may be a vulnerability within the application protocol handling features of Jabber for Windows, which features a severity rating of eight out of 10.
CVE-2020-27133 features a severity rating of 8.8 out of 10 and affects Jabber for Windows and Jabber for macOS. it’s going to allow an authenticated, remote attacker to realize access to sensitive information.
