Yes, this is our third Cisco story of the day. It's about 23 bugs you need to fix, stat
Troll your WebEx-loving execs with a crafted recording file
We all know the only thing more fun than a WebEx conference is a recorded WebEx conference, which is why WebEx Network Recording Player exists – and if you use it, you need to patch it.
Switchzilla's 23-patch Wednesday Whack-a-Mole includes fixes for multiple buffer overrun WebEx vulnerabilities.
The WebEx vulns can be exploited by sending a victim an Advanced Recording Format (ARF) file. If they're the kind of tragic who can be convinced to spend part of their life replaying a Web conference, their machine will crash, opening the gate to remote code execution.
The software is part of the WebEx Business Suite; affected builds are listed on the advisory, and if you can't patch, Cisco provides instructions for removing the software entirely.
There are two other high-rated bugs splatted today, one in a Cisco Prime network management product, the other in its Virtualised Packet Core environment.
The Cisco Prime Infrastructure and Evolved Programmable Network Manager has an XML injection bug. The upside is that it's only exploitable by someone with valid credentials.
Users of the company's Virtualized Packet Core-Distributed Instance are exposed to a denial-of-service vulnerability: processes can be crashed by crafted IPv4 UDP packets.
The remainder are outlined below.
|Prime Collaboration Provisioning||4|
|Firepower Management Center||3|
|Identity Services Engine||2|
|Wide Area Application Services||1|
|Unified Contact Center||1|
|StarOS for ASR 5000||1|
For all you completists out there, here's Cisco's full list of vulns. And SEC Consult, which found four of the holes (CVE-2017-6662, CVE-2017-6698, CVE-2017-6699, and CVE-2017-6700), has a writeup of the coding cockups it report to Cisco here. ®