Cisco has patched a critical vulnerability in Jabber for Windows desktop collaboration app. Exploiting the flaw could allow remote code execution attacks.
Cisco Jabber For Windows Vulnerability
In a recent advisory, Cisco has disclosed a serious security vulnerability affecting its product Jabber for Windows. Jabber is a desktop communication app offering video and audio chats, IMs, web conferencing, cloud messaging, and other features.
As revealed, the vulnerability existed because of improper message validation. According to Cisco’s advisory,
The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to the affected software.
Thus, a maliciously crafted message could allow an attacker to gain access to the target device in the context of the user. Successful exploitation of the vulnerability did not require any user interaction. Also, it would happen even when the app was running in the background.
Eventually, the same would allow a remote attacker to execute arbitrary codes on the target device.
Explaining further, Cisco stated that the vulnerability only affected Jabber for Windows client, that too, under certain conditions.
Systems using Cisco Jabber in phone-only mode without XMPP messaging services enabled are not vulnerable to exploitation. In addition, the vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging.
Cisco deemed this vulnerability, CVE-2020-3495, a critical severity bug that achieved a CVSS score of 9.9.
More Bugs Found – Patches Rolled Out
The vulnerability first caught the attention of security researchers from Watchcom who also discovered numerous other flaws in Jabber.
As detailed in their post, they found three more bugs; a high-severity command injection vulnerability (CVE-2020-3430), and two medium severity bugs (CVE-2020-3498 and CVE-2020-3537).
Following their report, Cisco fixed all the bugs with Cisco Jabber for Windows Releases 12.1.3, 12.5.2, 12.6.3, 12.7.2, 12.8.3, and 12.9.1.
Cisco has also confirmed no active exploitation of any of these vulnerabilities.
Accordingly, Jabber users should update their devices with fixed versions to avoid any potential mishaps.
Recently, Cisco has also warned users about a zero-day vulnerability affecting IOS XR software. Cisco is presently working to develop a fix for it. Until then, they have advised mitigation strategies.