From 'WebEx' to 'WebExec' to 'WTF, my PC!' Cisco rapped in chat app security flap

Patch your vid conferencing software to stop malware, users nabbing admin rights

Sorry to spoil your day, Cisco admins and users, but it's time to patch Webex, again.

A freshly disclosed exploitable security bug lies within Cisco Webex Meetings Desktop App for Windows, and while it's a privilege escalation bug one step below “critical”, and sitting pretty at "high," CVE-2018-15442 can be remotely abused in some circumstances.

Cisco described the programming blunder thus: “The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.”

Malware running locally on a machine, or a malicious logged-in user, could abuse this hole to gain system administrator rights, if the box is running a vulnerable edition of Webex, and thoroughly compromise it with spyware and so on. A remote attack would have to come via the corporate network: "administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools," Cisco pointed out.

The bug's discoverers, Ron Bowes and Jeff McJunkin of Counter Hack, provided an outline of what they've dubbed WebExec, here. The duo said the coding cockup has a peculiar characteristic: “it's a remote vulnerability in a client application that doesn't even listen on a port.”

Installing the WebEx client also installs WebExService, they explained, and this software can execute arbitrary commands as a system admin, rather than in the user's security context. “Due to poor ACLs, any local or domain user can start the process over Window's remote service interface (except on Windows 10, which requires an administrator login)”, they continued.

The pair also created Nmap and Metasploit scripts to check for the vulnerability and demonstrate exploits.

Too easy

In his technical writeup of the bug, Bowes noted that “exploiting the vulnerability is actually easier than checking for it!” He continued: “The patched version of WebEx still allows remote users to connect to the process and start it. However, if the process detects that it's being asked to run an executable that is not signed by Webex, the execution will halt.”

So, in short: if you're a user, or sysadmin, check which version of Webex is installed, and upgrade as necessary. Cisco noted: “This vulnerability affects all Cisco Webex Meetings Desktop App releases prior to 33.6.0, and Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.5, when running on a Microsoft Windows end-user system.”

If you're in the mood for some good news after all that: Switchzilla continues to comb its products for the libssh bug that popped up earlier this month, and so far hasn't identified any vulnerable offerings. ®

Similar topics

Narrower topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Cisco compresses Catalyst switches to compact size
    Fanless fun for the whole family (if the supply chain functions)

    Cisco has shrunk its Catalyst 9200 switches into three compact models.

    Switchzilla reckons they exercise the newfound freedom to undertake remote work by letting organizations squeeze a proper enterprise switch into a wider variety of smaller and more exotic places.

    The smallest of the models measures 4.4cm x 26.9cm x 16.5cm, and the other two add a little depth to emerge at 4.4cm x 26.9cm x 24.4cm. All are fanless, leading Cisco to suggest you bolt them under desks, nail them to walls, or even slide one into a home office.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading

Biting the hand that feeds IT © 1998–2022