Cisco addresses high severity RCE flaws in Webex Player

Pierluigi Paganini March 05, 2020

Cisco has released security updates to fix multiple vulnerabilities in various products, including two remote code execution flaws in Webex Player. 

The two remote code execution vulnerabilities fixed by Cisco have been tracked CVE-2020-3127 and CVE-2020-3128 respectively. The vulnerabilities have been rated as high severity and received a CVSS score of 7.8.

The vulnerabilities are caused by the insufficient validation of elements within a Webex recording stored as ARF (Advanced Recording Format) or WRF (Webex Recording Format).

A remote attacker could exploit the vulnerabilities by sending malicious ARF/WRF files and tricking the victim into opening them. The flaw could trigger the execution of arbitrary code with the privileges of the current user.

“The vulnerabilities are due to insufficient validation of certain elements within a Webex recording that is stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user.”

The flaws affect Webex Meetings (Webex Network Recording Player and Webex Player versions prior to WBS 39.5.17 or WBS 39.11.0), Webex Meetings Online (Webex Network Recording Player and Webex Player releases earlier than 1.3.49), and Webex Meetings Server (Webex Network Recording Player releases earlier than 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2). 

Cisco confirmed that it is not aware of attacks in the wild exploiting the flaws. 

The tech giant also released security updated for another two high severity vulnerabilities, a Cisco Intelligent Proximity SSL Certificate Validation flaw (CVE-2020-3155) and a Cross-Site Request Forgery Vulnerability in Cisco Prime Network Registrar (CVE-2020-3148).

The CVE-2020-3155 flaw could be remotely exploited to view or alter information shared on Webex video devices and Cisco collaboration endpoints. 

The flaw is caused by the lack of validation of the SSL server certificate received when connecting to a Webex video device or a Cisco collaboration endpoint. In this scenario, an attacker could carry out a man in the middle (MITM).

The CVE-2020-3148 flaw impacts the web-based interface of Prime Network Registrar (CPNR) and could be exploited by a remote, unauthenticated attacker to launch a cross-site request forgery (CSRF) attack.

Cisco also fixed nine medium severity flaws that could lead to information disclosure, command execution, denial of service, cross-site scripting (XSS), or resource exhaustion. 

The flaws impact Webex Meetings Client for MacOS, TelePresence Management Suite, Remote PHY Device Software, Prime Collaboration Provisioning, Identity Services Engine (ISE), IOS XR Software, AsyncOS Software for Email Security Appliances (ESAs), and ESA, Web Security Appliance (WSA), and Content Security Management Appliance (SMA).

The full list of addressed issued is available here.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco WebEx client)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment