Cisco 9.9/10-severity bug: Patch these dangerous Jabber flaws for Windows, macOS

Cisco takes a second stab at fixing critical flaws in its Jabber IM client that it first disclosed in September.

Cisco's SSM On-Prem has a 9.8/10 severity flaw, patch now

Cisco has rolled out patches for several critical flaws affecting the Jabber clients for Windows, MacOS, and the mobile apps for iOS and Android. 

The flaws are bad, with the worst having a severity rating of 9.9 out of a possible 10. What's worse, the flaws were meant to have been fixed three months ago in updates for Jabber, shortly after researchers released proof-of-concept exploit code for the wormable bugs, which can be exploited via an instant message. 

Jabber is Cisco's widely-used enterprise chat and instant-messaging platform, which it acquired in 2008. The app is based on the Chromium Embedded Framework (CEF), which allows developers to embed a natively sandboxed Chromium-based web browser in their applications.  

SEE: Network security policy (TechRepublic Premium)

Cisco says the bugs allow an attacker to "execute arbitrary programs on the underlying operating system with elevated privileges or gain access to sensitive information". Customers have no other option but to install the latest updates to prevent attacks. 

Norwegian security outfit Watchcom found earlier this year that Jabber was vulnerable to cross-site scripting (XSS) through XHTML-IM messages. Jabber did not properly sanitize incoming HTML messages and instead passed them through a faulty XSS filter.

Cisco notes that the new message-handling vulnerabilities can be exploited if an attacker can send Extensible Messaging and Presence Protocol (XMPP) messages to end-user systems running Cisco Jabber. 

"Attackers may require access to the same XMPP domain or another method of access to be able to send messages to clients," Cisco notes in an advisory

The three incompletely fixed bugs are tracked as CVE-2020-26085, CVE-2020-27127, and CVE-2020-27132. 

Watchcom reported four vulnerabilities to Cisco earlier this year, and they were disclosed by the networking giant in September. But three of them were not properly fixed in updates at the time, according to Watchcom

Watchcom probed the patches after a client requested an audit to check that the bugs had been sufficiently mitigated in Cisco's existing patches. It found the bugs were not mitigated. 

Two of the three improperly patched bugs can be used to gain remote code execution. One of them can also be used to gain NT LAN Manager (NTLM) password hashes from users. 

"Two of the vulnerabilities are caused by the ability to inject custom HTML tags into XMPP messages," explains Watchcom's penetration tester, Olav Sortland Thoresen. 

"The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities.

"Since some of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update," he added. 

SEE: Keeping data flowing could soon cost billions, business warned

Cisco also found two additional bugs in Jabber during internal testing. They are tracked as CVE-2020-27133 and CVE-2020-27134. 

CVE-2020-27134 is a vulnerability in the application protocol handling features of Jabber for Windows, which has a severity rating of eight out of 10. 

CVE-2020-27133 has a severity rating of 8.8 out of 10 and affects Jabber for Windows and Jabber for macOS. It may allow an authenticated, remote attacker to gain access to sensitive information.

More on Cisco and networking security

  • Cisco reveals this critical bug in Cisco Security Manager after exploits are posted – patch now  
  • Windows 10: Using Cisco's Webex Meetings for remote work? Patch now, warns Cisco  
  • Cisco security warning: Patch Webex Teams for Windows and surveillance camera now  
  • Update now: Cisco warns over 25 high-impact flaws in its IOS and IOS XE software  
  • Patch now: Cisco warns Jabber IM client for Windows has a critical flaw  
  • Cisco bug warning: Critical static password flaw in network appliances needs patching  
  • Cisco alert: Four high-severity flaws in routers, switches and AnyConnect VPN for Windows  
  • Patch now: Cisco warns of nasty bug in its data center software  
  • Cisco's warning: Critical flaw in IOS routers allows 'complete system compromise'  
  • Cisco warns: These Nexus switches have been hit by a serious security flaw  
  • Cisco: Critical Java flaw strikes 'call center in a box', patch urgently  
  • Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching  
  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET