Cisco Systems’ WebEx conferencing platform has a critical vulnerability inside its recording function, which creates possibilities for remote code execution scenarios. The bug can be exploited if attackers are able to convince users to open a file that pretends it is a recording of a past WebEx event.
Cisco issued a security update last month for its videoconferencing software for a similar flaw that could be exploited simply by an attendee opening a malicious Flash file sharing during a meeting. The flaw had not been exploited in the wild before it was discovered and reported to Cisco by Alexandros Zacharis, an officer in the European Union Agency for Network and Information Security (ENISA). Nonetheless, Cisco urged its WebEx clients to urgently upgrade their software to the latest release or to completely remove it from their systems.
The latest vulnerability is present in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files, and can be leveraged by remote, unauthenticated attackers by persuading users to open a compromised ARF file.
WebEx meetings are recorded in the ARP file format. They are then stored either on the WebEx meeting site or on the computer of an online attendee, and can be played back, shared and/or edited using the free Cisco WebEx ARF Player on macOS or Windows. When a user accesses a recording file that a Cisco WebEx Meeting site host, the application can be automatically installed onto their system or is available to manually download.
Cisco said there is not a workaround for this flaw either, and recommended that its WebEx clients immediately install the offered security update for WebEx Business Suite, WebEx Meetings, and WebEx Meeting Server or entirely remove the software from their system using a specialized tool created by Cisco.
WebEx is used not only for business meetings, but also for audio and web conferencing, as well as broadcast applications like webinars and corporate C-suite speeches. Thus, potential attackers had access to a wide attack surface, which with the right social engineering and spam campaigns could easily have convinced multiple users to open a fake ARF file that would then have opened the door to executing arbitrary code on their victims’ systems.
The latest bug was identified by Kushal Arvind Shah of Fortinet’s FortiGuard Labs, who described the problem as “a memory corruption vulnerability”. Shah noted that there was no indication that the bug was currently being exploited in the wild.