{"id": "CISCO-SA-JABBER-TTCGB9R3.NASL", "bulletinFamily": "scanner", "title": "Cisco Jabber for Windows Information Disclosure (cisco-sa-jabber-ttcgB9R3)", "description": "According to its self-reported version, Cisco Jabber is affected by a information disclosure vulnerability. The\nvulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by\nsending specially crafted messages to a targeted system. A successful exploit could allow the attacker to cause\nthe application to return sensitive authentication information to another system, possibly for use in further attacks.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.", "published": "2020-09-04T00:00:00", "modified": "2020-09-04T00:00:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/140270", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu71180", "http://www.nessus.org/u?961fd1ec"], "cvelist": ["CVE-2020-3498"], "type": "nessus", "lastseen": "2020-12-20T01:34:27", "edition": 6, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-3498"]}, {"type": "cisco", "idList": ["CISCO-SA-JABBER-TTCGB9R3"]}, {"type": "thn", "idList": ["THN:4BE868261372143E25379A8422C42E17"]}, {"type": "threatpost", "idList": ["THREATPOST:D2E35B61D2D9455A00F50AC6B8A5A129"]}], "modified": "2020-12-20T01:34:27", "rev": 2}, "score": {"value": 5.3, "vector": "NONE", "modified": "2020-12-20T01:34:27", "rev": 2}, "vulnersScore": 5.3}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140270);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/18\");\n\n script_cve_id(\"CVE-2020-3498\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu71180\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-jabber-ttcgB9R3\");\n script_xref(name:\"IAVA\", value:\"2020-A-0399-S\");\n\n script_name(english:\"Cisco Jabber for Windows Information Disclosure (cisco-sa-jabber-ttcgB9R3)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, Cisco Jabber is affected by a information disclosure vulnerability. The\nvulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by\nsending specially crafted messages to a targeted system. A successful exploit could allow the attacker to cause\nthe application to return sensitive authentication information to another system, possibly for use in further attacks.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ttcgB9R3\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?961fd1ec\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu71180\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvu71180\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3498\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(200);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:jabber\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_jabber_client_installed.nbin\");\n script_require_keys(\"installed_sw/Cisco Jabber for Windows\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'Cisco Jabber for Windows', win_local:TRUE);\n\nconstraints = [\n { 'min_version' : '12.1 ', 'fixed_version' : '12.1.3'},\n { 'min_version' : '12.5 ', 'fixed_version' : '12.5.2'},\n { 'min_version' : '12.6 ', 'fixed_version' : '12.6.3'},\n { 'min_version' : '12.7 ', 'fixed_version' : '12.7.2'},\n { 'min_version' : '12.8 ', 'fixed_version' : '12.8.3'},\n { 'min_version' : '12.9 ', 'fixed_version' : '12.9.1'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n\n\n\n\n", "naslFamily": "Windows", "pluginID": "140270", "cpe": ["cpe:/a:cisco:jabber"], "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "scheme": null}

{"cve": [{"lastseen": "2020-12-09T22:03:14", "description": "A vulnerability in Cisco Jabber software could allow an authenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted messages to a targeted system. A successful exploit could allow the attacker to cause the application to return sensitive authentication information to another system, possibly for use in further attacks.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-09-04T03:15:00", "title": "CVE-2020-3498", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3498"], "modified": "2020-09-09T19:23:00", "cpe": [], "id": "CVE-2020-3498", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3498", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}], "cisco": [{"lastseen": "2020-12-24T11:40:26", "bulletinFamily": "software", "cvelist": ["CVE-2020-3498"], "description": "A vulnerability in Cisco Jabber software could allow an authenticated, remote attacker to gain access to sensitive information.\n\nThe vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted messages to a targeted system. A successful exploit could allow the attacker to cause the application to return sensitive authentication information to another system, possibly for use in further attacks.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ttcgB9R3 [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ttcgB9R3\"]", "modified": "2020-09-02T16:00:00", "published": "2020-09-02T16:00:00", "id": "CISCO-SA-JABBER-TTCGB9R3", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ttcgB9R3", "type": "cisco", "title": "Cisco Jabber for Windows Information Disclosure Vulnerability", "cvss": {"score": 6.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "thn": [{"lastseen": "2020-09-03T08:43:01", "bulletinFamily": "info", "cvelist": ["CVE-2020-3430", "CVE-2020-3495", "CVE-2020-3498", "CVE-2020-3537"], "description": "[](<https://thehackernews.com/images/-6zBRyYa11Gw/X1CpnSAYh6I/AAAAAAAAAuw/bUKB1SKpOOETuY4wX7TFZnaPOpGfM31tACLcBGAsYHQ/s728-e100/cisco-jabber-hacking.gif>)\n\nNetworking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging app for Windows that includes patches for multiple vulnerabilities\u2014which, if exploited, could allow an authenticated, remote attacker to execute arbitrary code. \n \nThe flaws, which were uncovered by Norwegian cybersecurity firm [Watchcom](<https://watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/>) during a pentest, affect all currently supported versions of the Jabber client (12.1-12.9) and has since been fixed by the company. \n \nTwo of the four flaws can be exploited to gain remote code execution (RCE) on target systems by sending specially crafted chat messages in group conversations or specific individuals. \n \nThe most severe of the lot is a flaw (CVE-2020-3495, CVSS score 9.9) that's caused by improper validation of message contents, which could be leveraged by an attacker by sending maliciously-crafted Extensible Messaging and Presence Protocol ([XMPP](<https://en.wikipedia.org/wiki/XMPP>)) messages to the affected software. \n\n\n[](<https://go.thn.li/contrast> \"cybersecurity\" )\n\n \n\"A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution,\" Cisco said in an [advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg>) published yesterday. \n \nThe development comes days after Cisco warned of an [actively exploited zero-day flaw](<https://thehackernews.com/2020/09/cisco-issue-warning-over-ios-xr-zero.html>) in its IOS XR router software. \n \n\n\n## An XSS Flaw to an RCE Flaw\n\n \nXMPP (originally called Jabber) is an XML-based communications protocol used for facilitating instant messaging between any two or more network entities. \n \nIt's also designed to be extensible so as to accommodate additional functionality, one of which is [XEP-0071: XHTML-IM](<https://xmpp.org/extensions/xep-0071.html>) \u2014 a specification that lays down the rules for exchanging HTML content using the XMPP protocol. \n \n\n\n[](<https://thehackernews.com/images/-7-WFiNuCf2c/X1CqF26fZYI/AAAAAAAAAu4/n_YYDP5tXLwjE3phFiKjRtgZ_FGLQyw1ACLcBGAsYHQ/s728-e100/hacking-cisco.jpg>)\n\n \nThe flaw in Cisco Jabber arises from cross-site scripting (XSS) vulnerability when parsing XHTML-IM messages. \n \n\"The application does not properly sanitize incoming HTML messages and instead passes them through a flawed XSS filter,\" Watchcom researchers explained. \n \nAs a consequence, a legitimate XMPP message can be intercepted and modified, thereby causing the application to run an arbitrary executable that already exists within the local file path of the application. \n\n\n \nTo achieve this, it takes advantage of a separate vulnerable function in Chromium Embedded Framework ([CEF](<https://en.wikipedia.org/wiki/Chromium_Embedded_Framework>)) \u2014 an open-source framework that's used to embed a Chromium web browser within other apps \u2014 that could be abused by a bad actor to execute rogue \".exe\" files on the victim's machine. \n \nAttackers, however, are required to have access to their victims' XMPP domains to send the malicious XMPP messages needed to exploit the vulnerability successfully. \n \nAdditionally, three other flaws in Jabber (CVE-2020-3430, CVE-2020-3498, CVE-2020-3537) could be exploited to inject malicious commands and cause information disclosure, including the possibility of stealthily collecting users' [NTLM password hashes](<https://thehackernews.com/2020/04/zoom-windows-password.html>). \n \nWith video conferencing applications becoming popular in the wake of the pandemic, it's essential that Jabber users update to the latest version of the software to mitigate the risk. \n \n\"Given their newfound prevalence in organizations of all sizes, these applications are becoming an increasingly attractive target for attackers,\" Watchcom said. \"A lot of sensitive information is shared through video calls or instant messages and the applications are used by the majority of employees, including those with privileged access to other IT systems.\" \n \n\"The security of these applications is therefore paramount, and it is important to ensure that both the applications themselves, and the infrastructure they are using, are regularly audited for security gaps.\"\n", "modified": "2020-09-03T08:36:33", "published": "2020-09-03T08:36:00", "id": "THN:4BE868261372143E25379A8422C42E17", "href": "https://thehackernews.com/2020/09/cisco-jabber-hacking.html", "type": "thn", "title": "Cisco Jabber Bug Could Let Hackers Target Windows Systems Remotely", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2020-10-15T22:14:21", "bulletinFamily": "info", "cvelist": ["CVE-2020-24400", "CVE-2020-24407", "CVE-2020-3430", "CVE-2020-3495", "CVE-2020-3498", "CVE-2020-3537"], "description": "Researchers are warning of a critical remote code-execution (RCE) flaw in the Windows version of Cisco Jabber, the networking company\u2019s video-conferencing and instant-messaging application. Attackers can exploit the flaw merely by sending targets specially crafted messages \u2013 no user interaction required.\n\nThe flaw ([CVE-2020-3495](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg>)) has a CVSS score of 9.9 out of 10, making it critical in severity, Cisco said in a Wednesday advisory. Researchers with Watchcom, who discovered the flaw, said that with remote workforces surging during the [coronavirus pandemic](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>), the implications of the vulnerability are especially serious.\n\n\u201cGiven their newfound prevalence in organizations of all sizes, these applications are becoming an increasingly attractive target for attackers,\u201d Watchcom researchers said in an [analysis on Wednesday](<https://watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/>). \u201cA lot of sensitive information is shared through video calls or instant messages, and the applications are used by the majority of employees, including those with privileged access to other IT systems.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAn attacker could exploit the flaw by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to vulnerable end-user systems running Cisco Jabber for Windows. XMPP is an XML-based protocol for instant messaging, based on an open standard, which is widely used in both open-source and proprietary software.\n\nWhile attackers can be remote to launch such an attack, they may require access to the same XMPP domain or another method of access to be able to send messages to clients, according to researchers. However, for the most part, the attack is easy to carry out: No user interaction is required on the part of the targeted victim, and the vulnerability can be exploited even when Cisco Jabber is running in the background.\n\nThe issue stems from Cisco Jabber improperly validating message contents; the application does not properly sanitize incoming HTML messages. It instead passes the messages through a flawed cross-site scripting (XSS) filter. Researchers discovered that this filter could be bypassed using an attribute called \u201conanimationstart.\u201d This attribute is used to specify a JavaScript function that will be called when an element\u2019s CSS animation starts playing.\n\nUsing the attribute (along with a built-in animation assigned to it) researchers found it was possible to create malicious HTML tags that the filter did not catch, and were ultimately executed. As a final step, researchers created a malicious message using these HTML tags, that then intercepted an XMPP message sent by the application and modified it.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/03125156/jabber-calc.gif>)\n\nThe Jabber RCE vulnerability in action. Credit: Watchcom\n\nAttackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically, said researchers.\n\nFinally, \u201cas a result of exploitation, an attacker could cause the application to run an arbitrary executable that already exists within the local file path of the application,\u201d according to Cisco. \u201cThe executable would run on the end-user system with the privileges of the user who initiated the Cisco Jabber client application.\u201d\n\nSystems using Cisco Jabber in phone-only mode (without XMPP messaging services enabled) are not vulnerable to exploitation, Cisco\u2019s advisory said. In addition, the vulnerability is not exploitable when Cisco Jabber is configured to use messaging services other than XMPP messaging.\n\nThe vulnerabilities affect all currently supported versions of the Cisco Jabber client (12.1 \u2013 12.9). Cisco has released updates for different releases of affected Cisco Jabber. See the fixes in the table below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/03125052/cisco-jabber.png>)\n\nResearchers said that they found three other vulnerabilities in Cisco Jabber, including a protocol-handler-command infection (CVE-2020-3430), an information-disclosure flaw (CVE-2020-3498) and a Universal Naming Convention link-handling issue (CVE-2020-3537).\n\nCisco said it is not aware of any public announcements or malicious use of the flaw.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "modified": "2020-09-03T17:30:07", "published": "2020-09-03T17:30:07", "id": "THREATPOST:D2E35B61D2D9455A00F50AC6B8A5A129", "href": "https://threatpost.com/attackers-can-exploit-critical-cisco-jabber-flaw-with-one-message/158942/", "type": "threatpost", "title": "Attackers Can Exploit Critical Cisco Jabber Flaw With One Message", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}