Cisco addressed a critical severity remote code execution vulnerability that affects multiple versions of its Cisco Jabber for Windows software.
Cisco Jabber for Windows is a desktop app designed to provide users with presence, instant messaging (IM), cloud messaging, desktop sharing, as well as audio, video, and web conferencing.
Olav Sortland Thoresen of Watchcom has discovered this vulnerability which has been tracked as CVE-2020-3495. The Cisco Product Security Incident Response Team (PSIRT) said that the flaw has not been exploited in the wild.
The security flaw has a maximum 9.9 CVSS base score from Cisco and it is caused by improper input validation of incoming messages’ contents.
The vulnerability can allow remote attackers to execute arbitrary code on systems running unpatched Jabber for Windows software after successful exploitation using maliciously-crafted Extensible Messaging and Presence Protocol (XMPP) messages.
It does not require any user interaction for exploiting this flaw, and it can exploit even when the Jabber for Windows client is running in the background.
Attackers are required to have access to their victims’ XMPP domains to send the malicious XMPP messages needed to successfully exploit the vulnerability.
The attackers can also automate the exploitation process to create a worm that can spread automatically to new devices.
As Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack, and then execute the malicious file on a targeted victim’s machine.
Systems with Jabber for Windows configured in phone-only mode and those that use other messaging services are not vulnerable to exploitation.
The vulnerability also does not affect Cisco Jabber for macOS or mobile platforms, and it affects all currently supported versions of the Windows Cisco Jabber client (12.1 to 12.9).