Last week, Cisco Systems, the large-scale Internet services provider, issued a critical alert regarding a number of vulnerabilities in its WebEx player. The Cisco WebEx Meetings Server is a WebEx that can be hosted in a customers’ own private cloud.
Cisco’s security advisory listed six bugs in total, each related to holes in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files.
The WebEx ARF player and the WebEx WRF player save the meeting recordings, allowing users to rerun previous meetings afterwards. They are automatically installed on the device of an online meeting attendee.
In less severe cases, the vulnerabilities could cause player applications to crash. In more serious instances, the execution of arbitrary code from a remote attacker could be unleashed.
“A remote attacker could exploit these vulnerabilities by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file,” according to Cisco.
Products affected include:
- Cisco WebEx Business Suite (WBS30) client builds prior to T30.2
- Cisco WebEx Business Suite (WBS31) client builds prior to T31.14.1
- Cisco WebEx Business Suite (WBS32) client builds prior to T32.2
- Cisco WebEx Meetings with client builds prior to T31.14
- Cisco WebEx Meeting Server builds prior to 2.7MR3
Cisco has issued free software updates to address the bugs. As part of its mitigation strategy, the ISP has already updated Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and Cisco WebEx ARF and WRF Players.
The Common Vulnerabilities and Exposures (CVE) numbers are CVE-2017-12367, CVE-2017-12368, CVE-2017-12369, CVE-2017-12370, CVE-2017-12371 and CVE-2017-12372. Each of the CVE’s have a base score of 9.6 out of 10 in relation to their severity.
Four of the six CVE are for RCE vulnerabilities. The CVE-2017-12367 is connected to a denial of service vulnerability. CVE CVE-2017-12369 is linked to a Cisco WebEx Network Recording Player out-of-bounds vulnerability.
Cisco Systems made clear that it was not aware of public exploits of the six vulnerabilities, and that no other Cisco products are currently known to be affected.
“To exploit these vulnerabilities, the player application would need to open a malicious ARF or WRF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using email), or by directing a user to a malicious web page. The vulnerabilities cannot be triggered by users who are attending a WebEx meeting,” Cisco said.
No workarounds are available for the vulnerabilities. However, all WebEx software can be completely removed from a system. Information to do so available here: https://collaborationhelp.cisco.com/article/en-us/WBX000026396
To determine exposure and the best possible solution, Cisco users can visit the Cisco Security Advisories and Alerts page.
Earlier this year, Cisco Systems issued a security alert about another bug connected to its WebEx players. This bug affected the WebEx extensions for Firefox and Chrome. An affected user could be convinced to go to a page controlled by the attackers, from which the attacker could then execute arbitrary code with the privileges of the affected browser. On July 12 and 13 2017 respectively, Cisco released updated versions of the extension on the Chrome Store and Mozilla’s add-ons store.