Cisco is warning of three high-severity flaws in its popular Webex web conferencing app, including one that could allow an unauthenticated attacker to remotely execute code on impacted systems.
Beyond Webex, the networking giant on Wednesday also patched a slew of bugs across several products, including its small business RV routers and TelePresence Collaboration Endpoint software. It’s also investigating whether vulnerabilities affect other products.
The most severe flaw (CVE-2020-3342) exists in the Webex Meetings Desktop App for Mac and ranks 8.8 out of 10 on the CVSS scale. The flaw stems from an improper validation of cryptographic protections, on files that are downloaded by the application as part of a software update, according to Cisco.
“An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website,” according to Cisco’s security update. “The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user.”
Versions of the Webex Meetings Desktop App for Mac app earlier than Release 39.5.11 are affected; a fix is available in releases 39.5.11 and later. Windows versions of the app are not affected.
A second flaw (CVE-2020-3361), which ranks 8.1 out of 10 on the CVSS scale, could allow an unauthenticated, remote attacker to gain unauthorized access to a vulnerable Webex site. The vulnerability stems from improper handling of authentication tokens by a vulnerable Webex site.
“An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site,” according to Cisco’s security update. “If successful, the attacker could gain the privileges of another user within the affected Webex site.”
Cisco Webex Meetings sites (releases WBS 39.5.25 and earlier, WBS 40.4.10 and earlier, or release WBS 40.6.0), and Cisco Webex Meetings Server (releases 4.0MR3 and earlier) are affected. The flaw has been fixed in Cisco Webex Meetings Server Release 4.0 MR3 Security Patch 1; Cisco said customers on Cisco hosted Webex Meetings sites do not need to take any actions to receive this update.
The final Webex vulnerability exists in Cisco Webex Meetings Desktop App (releases earlier than Release 39.5.12), which could allow an unauthenticated, remote attacker to execute programs on an affected end-user system. This flaw (CVE-2020-3263) which ranks 7.5 out of 10 on the CVSS scale, is due to improper validation of input that is supplied to application URLs.
A bad actor could exploit the glitch by persuading a user to follow a malicious URL. They could then cause an application to execute other programs that are already present on the end-user system. If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system, according to Cisco. Cisco Webex Meetings Desktop App releases earlier than Release 39.5.12; a fix is available in releases 40.1.0 and later.
Cisco also patched a medium-severity flaw (CVE-2020-3347) that could enable an authenticated, local attacker to gain access to sensitive information – including usernames, meeting information, or authentication tokens – on an affected system.
“In an attack scenario, any malicious local user or malicious process running on a computer where WebEx Client for Windows is installed can monitor the memory mapped file for a login token,” said Martin Rakhmanov with Trustwave’s SpiderLabs research team, who discovered the flaw, in a Thursday analysis. “Once found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question, download Recordings, view/edit Meetings, etc.”
Remote Working Impact
The disclosed vulnerabilities come at a time when Webex and other online conferencing apps are surging in popularity, as the coronavirus drives more employees to work remotely.
“Due to the global pandemic of COVID-19, there’s been an explosion of video conferencing and messaging software usage to help people transition their work-life to a work from home environment,” said Rakhmanov. “Vulnerabilities in this type of software now present an even greater risk to its users.”
In addition to Webex, Cisco also patched another type of collaboration tool; its Cisco TelePresence Collaboration Endpoint Software, used for conferencing meetings. According to Cisco, a high-severity flaw (CVE-2020-3336) in the software could allow a remote attacker to modify the filesystem to cause a denial of service (DoS) or gain privileged access to the root filesystem. The bad actor would need to be authenticated, however, which is in part why the bug only ranks 7.2 out of 10 on the CVSS scale.
“An attacker with administrative privileges could exploit this vulnerability by sending requests with malformed parameters to the system using the console, Secure Shell (SSH), or web API,” according to Cisco. “A successful exploit could allow the attacker to modify the device configuration or cause a DoS.”
Small Business Routers
Cisco also patched several high-severity flaws in its small business RV series routers, which offer virtual private networking technology for remote workers at small businesses.
These fixes address vulnerabilities tied to 11 CVEs in the web-based management interface of Cisco Small Business RV320, RV325, RV016, RV042, and RV082 routers, which if exploited could allow an authenticated, remote attacker with administrative privileges to execute arbitrary code on an affected device.
Also patched were two flaws in the web-based management interface of Cisco RV110W, RV130, RV130W, and RV215W Series Routers, which if exploited could enable a authenticated attacker (with administrative privileges) to execute arbitrary commands remotely.
Flaws tied to six CVEs were also patched in the web-based management interface of Cisco Small Business RV320, RV325, RV016, RV042, and RV082 Routers. If exploited these could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system.
Cisco’s Wednesday slew of security updates also addressed the critical “Ripple20” flaws that were disclosed on Monday. The 19 different vulnerabilities, four of them critical, affect hundreds of millions of internet of things (IoT) and industrial-control devices.
Cisco said it is currently investigating the Cisco ASR 5000 Series Router, Cisco Home Node-B Gateway, Cisco IP Services Gateway (IPSG) and Cisco PDSN/HA Packet Data Serving Node and Home Agent to see if they are affected by the flaws.
“Cisco is investigating its product line to determine which products may be affected by these vulnerabilities,” according to the advisory. “As the investigation progresses, Cisco will update this advisory with information about affected products.”
Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it. Please register here for this Threatpost webinar.