Cisco has issued a warning after a critical vulnerability has been found in the Webex App that could allow malicious code to be smuggled in through specially crafted meeting invitation links.
“A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user,”
Cisco said in its advisory blog.
The vulnerability, assigned a CVSS base score of 8.8—making it a high-severity flaw—has prompted Cisco to release emergency patches for affected versions of the platform.
Examining the Webex Vulnerability
According to Cisco’s security advisory, the vulnerability, which relates to including functionality from an untrusted control sphere, stems from “insufficient input validation when Cisco Webex App processes a meeting invite link.”
This deficiency allows attackers to deliver and execute arbitrary code on victims’ systems.
The complete CVSS vector string for this vulnerability indicates that exploitation requires user interaction, although it can compromise confidentiality, integrity, and availability completely.
In action, it translates to an attacker crafting a malicious Webex meeting URL.
When unsuspecting users click on this weaponized meeting link, the vulnerability allows Webex to process it without proper validation, allowing the download of arbitrary files.
Once arbitrary files are downloaded through the crafted link, commands can be executed on the victim’s system without additional authorization requirements.
This vulnerability can eventually lead to remote code execution with the privileges of the targeted user.
Cisco discovered the vulnerability during internal security testing, thus it was not found through exploitation.
However, this announcement could mean that weaponization could happen quickly now that the vulnerability has been disclosed.
Do You Need to Take Action?
According to Cisco’s advisory, the vulnerability affects specific versions of the Cisco Webex App across all operating systems and configurations.
The following versions are vulnerable:
- Cisco Webex App 44.6 (prior to version 44.6.2.30589)
- Cisco Webex App 44.7 (all releases)
The vulnerability, however, has not been reported to affect versions 44.5 and earlier, as well as 44.8 and later.
Cisco released security updates to address this vulnerability through a patch.
For users running version 44.6, upgrading to version 44.6.2.30589 or later will patch the vulnerability.
Users on version 44.7 must migrate to a fixed release, as no direct patch is available for this version.
Cisco has stated, “There are no workarounds that address this vulnerability,” so patches can only be applied in the aforementioned method.
Organizations using the Cisco Webex App are advised to update their installations immediately.
Cisco’s Previous Patches
Cisco constantly reviews its products like Webex to ensure it addresses not only issues missed in initial releases but also updates to mitigate future threats.
Last month, Cisco issued a warning to Webex for BroadWorks users after discovering a concerning security flaw.
Although deemed “low-severity,” the vulnerability in the app’s Release 45.2 gives malicious actors access to sensitive data if insecure transport is configured for SIP communication.
This post originally appeared on Service Management - Enterprise - Channel News - UC Today.