Cisco has recently patched multiple vulnerabilities in the Webex Network Recording Player. Thanks to researchers from Trend Micro Zero Day Initiative who reported the flaws to Cisco. All the vulnerabilities could allow an attacker to remotely execute arbitrary code on a targeted system.
Multiple RCE Vulnerabilities Discovered In Webex Network Recording Player
As stated in the security advisory by Cisco, two researchers separately reported vulnerabilities to Cisco in the Webex Network Recording Player. Precisely, they reported three different remote code execution flaws that could allow an attacker to execute arbitrary commands.
The vulnerabilities have received the CVE numbers CVE-2018-15414, CVE-2018-15421, and CVE-2018-15422, with a 7.8 CVSS base score. Explaining these vulnerabilities, Cisco stated,
“The vulnerabilities are due to improper validation of Webex recording files. An attacker could exploit these vulnerabilities by sending a user a link or email attachment containing a malicious file and persuading the user to open the file in the Cisco Webex Player. A successful exploit could allow the attacker to execute arbitrary code on an affected system.”
According to Cisco, the vulnerabilities affected different versions of the Advanced Recording Format (ARF) players. These include Webex Network Recording Player from Cisco Webex Meetings Suite (WBS32) versions WBS32.15.10 and earlier, Cisco Webex Meetings Suite (WBS33) versions WBS33.3 and earlier, Cisco Webex Meetings Server versions 3.0MR2 and before, and Cisco Webex Meetings Online versions before the v 1.3.37. In addition, all software versions running across Windows, Mac and Linux systems remains affected by at least one of the three vulnerabilities disclosed.
Cisco Released Patched Software
After receiving alerts for the flaws, Cisco released patched software for customers. The users can simply check the player version running on their system from the “About” menu. They can then simply download the updated software from the Webex website.
Cisco thanked the ZDI researchers for reporting the flaws. Steven Seeley receives credit for notifying the vulnerabilities CVE-2018-15414 and CVE-2018-15422, whereas Ziad Badawi reported the CVE-2018-15421. Not to forget that ZDI has also identified zero-day RCE vulnerability in the Microsoft Jet Database Engine just recently.