Cisco drops patch for nasty WebEx remote code execution hole
Patch, then patch this, this, this, this, this, this, this, and this
Cisco is warning admins to apply a patch for a critical WebEx vulnerability, one of nine fixed this week.
The remote code execution flaw (CVE-2016-1482) could allow attackers to execute arbitrary commands on WebEx servers.
Admins can only apply the patch and do not have an option to deploy work-around mitigations.
"A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system," Cisco wrote in an advisory.
"The vulnerability is due to insufficient sanitization of user-supplied data processed by the affected software. An attacker could exploit this vulnerability by injecting arbitrary commands into existing application scripts running on a targeted device located in a DMZ [and] could allow an attacker to execute arbitrary commands on the device with elevated privileges."
Denial of service attacks affect Cisco's Web Security Appliance, WebEx server, IOS XE software, and carrier routing system.
That WebEx server flaw (CVE-2016-1483) is rated high severity and occurs thanks to improper validation of user accounts by specific services.
"An unauthenticated, remote attacker could exploit this vulnerability by repeatedly attempting to access a specific service, causing the system to perform computationally intensive tasks and resulting in a denial of service attack condition." ®