Vulnerabilities in Cisco Jabber not mitigated, Watchcom discovers

Description

In September 2020, Watchcom disclosed four high severity vulnerabilities in Cisco Jabber. Cisco released patches for the affected Cisco Jabber versions to mitigate the vulnerabilities. Upon request from a client, Watchcom performed a verification audit of the patch to ensure that the vulnerabilities had been sufficiently mitigated.

During the audit we found that three of the four vulnerabilities had not been sufficiently mitigated. Cisco released a patch that fixed the injection points we reported, but the underlying problem had not been fixed. As such, we were able to find new injection points that could be used to exploit the vulnerabilities.

The new vulnerabilities were reported to Cisco in September 2020. Cisco released new patches for the affected Cisco Jabber versions in December 2020. A second verification audit was performed on the new patch, and once again the Watchcom Test Team found bugs - two of the three remaining vulnerabilities were still not properly mitigated. New injection points were found and Cisco had not fixed the underlying issue. We also disclosed one new vulnerability in the application during the second verification audit.

The three vulnerabilities have been assigned new CVE numbers to distinguish them from the vulnerabilities disclosed previously. The new CVE numbers and the corresponding CVSS scores are listed below:

CVE-2021-1411: Cisco Jabber Arbitrary Program Execution Vulnerability (CVSS 9.9):

• Similar vulnerability as previously reported “(CVE-2020-26085): Cisco Jabber Cross-Site Scripting leading to RCE (CVSS 9.9)” and “CVE-2020-3495: Cisco Jabber Message Handling Arbitrary Code Execution (CVSS 9.9)”. The risk is the same as the previously reported vulnerabilities but with new injection points.

CVE-2021-1417Cisco Jabber Information Disclosure Vulnerability (CVSS 6.5):

• Similar vulnerability as previously reported “(CVE-2020-3498): Cisco Jabber Information Disclosure (CVSS 6.5)” and “CVE-2020-27132: Cisco Jabber Password Hash Stealing Information Disclosure (CVSS 6.5)”.  The risk is the same as the previously reported vulnerabilities but with new injection points.

CVE-2021-1418: Cisco Jabber Denial of Service Vulnerability (CVSS 4.3):

• New vulnerability. Can be exploited by attackers by sending crafted XMPP messages to another Cisco Jabber user. The recipients’ Cisco Jabber application would crash when receiving the message, resulting in a Denial of Service (DoS).

Mitigation

As with previous Jabber vulnerabilities we advise all users to update to the latest version as soon as possible. 

Since some of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. This can be done by disabling XMPP federation or configuring a policy for XMPP federation.

Note that Watchcom has not verified the patches and cannot say with certainty that they are effective. We therefore recommend performing a security audit of the patched version before putting it to use.

Blue teams that want to detect potential exploitation of these vulnerabilities should be aware of the following indicators:

• XMPP messages with unusual HTML content
• Invocations of CiscoJabber.exe with unusual flags
• Unusual sub-processes of CiscoJabber.exe
• Malicious files being sent through Cisco Jabber’s file sharing feature

Cisco has published a security advisory for the vulnerabilities - see the following link for their recommendations.

Timeline

• 7^th January 2021: New vulnerabilities discovered and reported to Cisco PSIRT
• 24^th March 2021: Patches released. Vulnerabilities publicly disclosed