Cisco Systems is hoping three times is a charm. The networking giant has issued a third patch for a stubborn high-severity flaw in its Webex Meetings platform after researchers once again discovered a way to bypass the previous fix.
The privilege elevation vulnerability (CVE-2019-1674) exists in the update service of Cisco Webex Meetings Desktop App for Windows, and could allow an unauthenticated attacker to gain SYSTEM user privileges and run arbitrary commands. Before this latest bypass, Cisco had first patched the initial privilege-escalation vulnerability in October, and then again when researchers with SecureAuth bypassed that patch in November.
“The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate version numbers of new files,” said SecureAuth researchers in a Wednesday post. “An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder. This will allow the attacker to run arbitrary commands with SYSTEM user privileges.”
The researchers notified Cisco about the latest bypass on Dec. 4, 2018. Cisco published a patch and advisory on Feb. 27.
Impacted are various versions of Cisco Webex Meetings Desktop App, between versions 220.127.116.11 and 18.104.22.168. Older versions are probably affected too, but they were not checked, researchers said. The vulnerability is fixed in Cisco Webex Meetings Desktop App Release 33.6.6 and 33.9.1 releases and in Cisco Webex Productivity Tools Release 33.0.7.
Researchers said that the vulnerability stems from the update service of the tool failing to validate “version numbers” of new files – essentially giving an attacker elevated privileges by invoking the update service command with a crafted argument and folder.
The vulnerability comes with caveats – an attacker would need to be local and authenticated first before launching an attack, researchers said.
The attacker could replace the update binary (ptupdate.exe) with a previous vulnerable version through a fake update (the service uses an XML to check which files can be installed), which will load a malicious dynamic link library. This will allow the attacker to run arbitrary commands with SYSTEM user privileges.
At a more technical level, the vulnerability can be exploited by copying the “atgpcdec.dll” binary to a local attacker controller folder, and renaming it “atgpcdec.7z.” Then, a previous version of the update binary (ptUpdate.exe) file would be compressed as 7z and copied to the controller folder.
A malicious dynamic link library must also be placed in the same folder, named vcruntime140.dll and compressed as vcruntime140.7z.
Finally, a ptUpdate.xml file must be provided in the controller folder for the update binary (ptUpdate.exe) to treat the files as a normal update, researchers said.
“To gain privileges, the attacker must start the service with the command line: sc start webexservice WebexService 1 989898 ‘attacker-controlled-path,” they said.
“Cisco is committed to transparency,” a Cisco spokesperson told Threatpost. “When security issues arise, we handle them openly and as a matter of top priority, so our customers understand the issue and how to address it. On February 27, Cisco published a security advisory about a vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows. Cisco has released software updates that address this vulnerability.”