A critical vulnerability in Cisco WebEx browser extensions that could allow unauthenticated remote code-execution (RCE) on targeted machines is being actively exploited in the wild.
The news comes just days after Cisco issued a flurry of 24 different patches for its IOS XE operating system and warned of an incomplete fix for two small business routers (RV320 and RV325).
WebEx is Cisco’s widely used conferencing platform, which takes a cloud-based approach to on-demand web- and videoconferencing. Browser extensions make it easier for users to join meetings and collaborate.
In exploiting this latest bug, attackers could execute arbitrary code with the privileges of the affected browser on Windows PCs that have specific browser extensions installed. The vulnerable extensions are for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center and Support Center), according to an advisory.
“The vulnerability is due to a design defect in an application programing interface (API) response parser within the plugin,” Cisco said in the alert, issued Thursday.
The issue (CVE-2017-3823) can be easily exploited as well: An attacker needs only to convince an affected user to visit a booby-trapped web page or follow an attacker-supplied link with an affected browser. It appears that’s what’s happening now, according to the advisory.
The vulnerability was discovered in 2017 by Tavis Ormandy of Google, and Cisco subsequently released software updates for Google Chrome, Firefox and Internet Explorer, so users who haven’t should update immediately.
Versions prior to 1.0.7 of the Cisco WebEx Extension on Google Chrome, prior to 106 of the ActiveTouch General Plugin Container on Mozilla Firefox, prior to the first fixed version of the GpcContainer Class ActiveX control plugin on Internet Explorer, and prior to 220.127.116.11 of the Download Manager ActiveX control plugin on Internet Explorer are affected.
Also on Thursday, Cisco updated its warning about a vulnerability in the web-based management interface of two small-business routers. The Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers have a bug that could allow an unauthenticated, remote attacker to retrieve sensitive information. Specifically, an attacker could download a router’s configuration or detailed diagnostic information, which could in turn be used to compromise it.
“The vulnerability is due to improper access controls for URLs,” Cisco explained in its advisory for the vulnerability. “An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs.”
The initial fix is incomplete, Cisco warned, adding that it’s working on an updated firmware. However, it subsequently added a mitigation recommendation to the mix:
“If the Remote Management feature is enabled, Cisco recommends disabling it to reduce exposure,” Cisco said. “The feature setting is under Firewall > General and is disabled by default. This will disable the web-based management interface on the WAN IP address, which is reachable via the WAN ports. The web-based management interface will continue to be available on the LAN IP address, which is reachable via the LAN ports.”
The issue affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware releases 18.104.22.168 and later.
Don’t miss the free replay of our Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub.”
Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.