Researchers are warning of a critical remote code execution (RCE) flaw in the Windows version of Cisco Jabber, the networking company’s video-conferencing and instant messaging application.

The critical flaw tracked as CVE-2020-3495 has a CVSS score of 9.9 out of 10. It can be exploited by sending targets specially crafted messages without requiring user interaction.

The applications are used by the majority of employees, including those with privileged access to other IT systems. A lot of sensitive information is shared through video calls or instant messages. That is why this application has become an attractive target for attackers.

How to Exploit

An attacker could exploit the flaw by sending specially crafted Extensible Messaging and Presence Protocol (XMPP, an XML-based protocol for instant messaging) messages to vulnerable end-user systems running Cisco Jabber for Windows. While attackers can be remote to launch such an attack, they may require access to the same XMPP domain or another method of access to be able to send messages to clients.

No user interaction is required on the part of the targeted victim, and the vulnerability can be exploited even when Cisco Jabber is running in the background.

The reason for the issue is improper validation of message contents. The application does not properly sanitize incoming HTML messages. It instead passes the messages through a flawed cross-site scripting (XSS) filter. This filter could be bypassed using an attribute called “onanimationstart”, used to specify a JavaScript function that will be called when an element’s CSS animation starts playing.

Using the attribute it is possible to create malicious executable HTML tags that the filter did not catch. As a final step, researchers created a malicious message using these HTML tags that then intercepted an XMPP message sent by the application and modified it.

Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically. Finally, “as a result of exploitation, an attacker could cause the application to run an arbitrary executable that already exists within the local file path of the application.

The executable would run on the end-user system with the privileges of the user who initiated the Cisco Jabber client application.

According to Cisco’s advisory, systems using Cisco Jabber in phone-only mode are not vulnerable to exploitation. Also, the vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging.

Recommendations:

• Users are highly recommended to use the latest version of the application.
• Make sure the system is working on an updated version
• It is advised to use Cisco jabber in phone-only mode (without XMPP messaging services enabled)
• Configure Cisco Jabber to use messaging services other than XMPP messaging.