Full Report
Cisco Jabber is a video conferencing service, similar to Zoom. For instant messaging, it uses a protocol called XMPP over XML. Within XMPP, there are short snippets of XML called stanzas that are sent over a stream connection by using the Gloox XMPP library. Both the control and message requests go over the same stream. From similar research in Zoom, what if a message request could be smuggled into the control of the message? In Zoom, this was done using a unicode decoder difference between the client and the server. Cisco modified the Gloox XMPP library in a few places. While parsing the XMPP stanzas, the original library will exit upon seeing a new stream:stream tag, effectively ignoring the attempted escape. However, in the Cisco version, the function cleanup() is called within this code block instead. This resets the parser state and any XML tag seen after this point will become the new root tag. Now, an attacker can arbitrarily control the data in the stream. This allows for control messages and other things to be injected into the server-side. This simple reset of the parser makes this possible. In terms of what can be done with this exploit, nothing is said. With Zoom, it was possible to get code execution using this though. Overall, interesting bug and variant of the Zoom client!
Analysis Summary
# Vulnerability: Cisco Jabber XMPP Parser Reset (Logic Flaw)
## CVE Details
- **CVE ID:** Not explicitly mentioned in the provided text (Likely maps to historic Jabber XMPP vulnerabilities such as CVE-2020-3495 or similar variants).
- **CVSS Score:** N/A (Based on Zoom equivalent: High/Critical)
- **CWE:** CWE-20: Improper Input Validation / CWE-436: Interpretation Conflict
## Affected Systems
- **Products:** Cisco Jabber
- **Versions:** Not specified in external text (Applies to versions utilizing the modified Gloox XMPP library).
- **Configurations:** Systems utilizing XMPP for instant messaging and control requests over a unified XML stream.
## Vulnerability Description
The vulnerability lies in Cisco’s custom modification of the **Gloox XMPP library**. In standard XMPP communication, data is transmitted as XML snippets known as "stanzas" within a continuous stream.
The original Gloox library is designed to exit or ignore an attempted escape if a new `<stream:stream>` tag is encountered mid-session. However, Cisco modified this behavior to call a `cleanup()` function instead. This function resets the XML parser state. Consequently, any XML tag following the injected stream tag is treated as a new root tag. This allows an attacker to "smuggle" unauthorized XML commands into the stream, essentially hijacking the parser's logic to inject arbitrary control messages or server-side requests.
## Exploitation
- **Status:** PoC theoretically available (based on Zoom variant research).
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential unauthorized access to messages/data).
- **Integrity:** High (Ability to inject control messages and modify stream state).
- **Availability:** Medium (Potential for service disruption via parser reset).
- **Note:** While the article does not confirm RCE for Jabber, a similar flaw in Zoom allowed for Remote Code Execution.
## Remediation
### Patches
- Users should update Cisco Jabber to the latest version provided by the vendor. Cisco typically addresses library-level flaws in cumulative software updates.
### Workarounds
- No specific software workarounds are identified; mitigation relies on patching the underlying parser logic.
## Detection
- **Indicators of Compromise:** Presence of unexpected `<stream:stream>` tags or unusual XML root tags within a single established XMPP session.
- **Detection methods:** Deep Packet Inspection (DPI) of XMPP traffic to identify XML smuggling attempts or malformed stanzas that trigger parser resets.
## References
- **Vendor Advisory:** hxxps[://]tools[.]cisco[.]com/security/center/publicationListing[.]x
- **Research Context:** hxxps[://]blog[.]mizu-re[.]com/posts/cisco-jabber-xmpp-smuggling/ (Reference to Zoom variant research)