[German]Network equipment supplier Cisco has released an updated version of its video conferencing and messaging application Jabber for Windows. The update addresses four critical vulnerabilities that could allow an attacker to execute arbitrary code, Remote Code Execution (RCE). It is sufficient to send specially crafted chat messages, either in group chats or directly to specific users. No user interaction is required and the vulnerability can be exploited even if Cisco Jabber is running in the background.
Advertising
What is Cisco Jabber?
Cisco Jabber is an application for video conferencing and instant messaging. It is mainly used for internal communication, but can also be used to chat, call or hold meetings with people outside the organization. Today, many people work from home and applications like Cisco Jabber are essential for team communication. This makes such applications an increasingly attractive target for attackers. Much sensitive information is exchanged via video calls or instant messages, and the applications are used by the majority of employees, including those with privileged access to other IT systems.
Four vulnerabilities in Cisco Jabber
There are four critical RCE vulnerabilities in Jabber, but they have been patched via update. The vulnerabilities were discovered by the Norwegian cyber security company Watchcom during a pentest. All currently supported versions of the Jabber client (12.1 to 12.9) are affected. aufgedeckt
- CVE-2020-3495: Cisco Jabber Message Handling Arbitrary Code Execution (CVSS 9.9)
- CVE-2020-3430: Cisco Jabber Protocol Handler Command Injection (CVSS 8.0)
- CVE-2020-3498: Cisco Jabber Information Disclosure (CVSS 6.5)
- CVE-2020-3537: Cisco Jabber Universal Naming Convention Link Handling (CVSS 5.7)
Two of the four bugs can be exploited for Remote Code Execution (RCE) on the target systems. It is sufficient to send specially designed chat messages in group discussions or to specific people. The most serious bug is a flaw (CVE-2020-3495, CVSS score 9.9) caused by improper validation of message content that could be exploited by an attacker by maliciously sending maliciously crafted Extensible Messaging and Presence Protocol (XMPP) messages to the affected software.
The first three vulnerabilities were discovered and reported to Cisco on June 17, 2020. On September 2, 2020, Cisco released patches for the affected software. Therefore, the vulnerabilities have now been publicly disclosed. Details about the vulnerabilities can be found in the report of the cyber security company Watchcom. Cisco has issued the security advisory Cisco Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability. (via)
