Cisco Systems issued a Critical alert on Wednesday warning of multiple vulnerabilities in its popular WebEx player. Six bugs were listed in the security advisory, each of them relating to holes in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files.
“A remote attacker could exploit these vulnerabilities by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file,” according to Cisco.
Cisco warned exploitation of the vulnerabilities could allow arbitrary code execution on a targeted system. In less severe cases, the vulnerabilities could cause players to crash.
Vulnerable products include:
- Cisco WebEx Business Suite (WBS30) client builds prior to T30.20
- Cisco WebEx Business Suite (WBS31) client builds prior to T31.14.1
- Cisco WebEx Business Suite (WBS32) client builds prior to T32.2
- Cisco WebEx Meetings with client builds prior to T31.14
- Cisco WebEx Meeting Server builds prior to 2.7MR3
No workarounds are available for any of the vulnerabilities. Cisco has released software updates that address the bugs. It added, the Cisco Product Security Incident Response Team is not aware of any public exploits of the six vulnerabilities.
The vulnerabilities impact Cisco WebEx ARF Player and the Cisco WebEx WRF Player, both used to rerun previously saved WebEx meetings. Cisco said the players are automatically installed when a user attempts to playback saved meetings saved on a WebEx server.
As part of its mitigation Cisco said it has updated Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and Cisco WebEx ARF and WRF Players.
The Common Vulnerabilities and Exposures (CVE) numbers are CVE-2017-12367, CVE-2017-12368, CVE-2017-12369, CVE-2017-12370, CVE-2017-12371 and CVE-2017-12372. Each of the CVE’s have a base score of 9.6 out of 10 when it comes to severity.
Four of the six CVE are for critical RCE vulnerabilities. The CVE-2017-12367 is tied to a denial of service vulnerability. And CVE CVE-2017-12369 is tied to a Cisco WebEx Network Recording Player out-of-bounds vulnerability.
“To exploit these vulnerabilities, the player application would need to open a malicious ARF or WRF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using email), or by directing a user to a malicious web page. The vulnerabilities cannot be triggered by users who are attending a WebEx meeting,” Cisco said.
In July, Cisco also updated its WebEx browser extensions for Chrome and Firefox after Google Project Zero researcher Tavis Ormandy and Divergent Security’s Cris Neckar privately disclosed a vulnerability that could be abused to remotely run code on a computer running the browser extension.