Flash! Ah-ahhh! WebEx pwned for all of us!
Cisco issues critical patch to stop in-meeting attacks
Cisco has patched a serious vulnerability in its WebEx software that lets an attacker remotely execute code on target machines via poisoned Adobe Flash files.
Switchzilla is today advising all users running WebEx Business Suite or WebEx Meetings (both client and server) to update their software in order to patch CVE-2018-0112.
The vulnerability, discovered and reported to Cisco by researcher Alexandros Zacharis of ENISA (the EU's network and information security body), stems from the failure by WebEx to properly check Flash (.swf) files when they are uploaded to a meeting room.
Zacharis found that an attacker could submit a malicious .swf to a room full of attendees via the file sharing tool, then execute the code on all of the targeted machines and do any number of unsavory things.
Cisco says Zacharis contacted them directly to report the bug and the company is not aware of any attacks targeting the vulnerability in the wild. The flaw has been given a CVSS score of 9.0 and a 'critical' severity designation by Cisco.
Other than updating WebEx Client/Server (or just deleting the thing), Cisco says there is no way to mitigate against the vulnerability, so you'll want to get the latest version of the software to be sure the patch has been applied.
For those running WebEx Business Suite the updated versions will be T32.10 and T31.23.2, respectively. WebEx Meetings users will want to update their client software to T32.10 and Meetings Server should be updated to 2.8 MR2.
Also getting a patch is Unified Computing System (UCS) Director, where Cisco's tech support staff found a bug (CVE-2018-0238) that will let an end user view and run commands (with their target's current permission settings) on any VM currently being hosted by the datacenter management platform.
The information disclosure bug can be exploited via the UCS Director Web Interface, meaning all an attacker needs is a valid username and password. The access levels needed to exploit the bug (VM Management Actions permission) are enabled by default on end user accounts.
Needless to say, admins will want to update UCS Director versions 6.0 and 6.5 to the "Patch 3" update in order to fix the flaw. Those running earlier versions of Director or Director Express for Big Data are in luck as those builds have not been deemed vulnerable. ®