Cisco WebEx Clients CVE-2018-0112 – Remote Code Execution

Authors:Cisco                 Risk:Critical

CVE:CVE-2018-0112            0day:Remote Code Execution

0day-id:0DAY-0112             Date:2018-04-20

Summary

  • A vulnerability in Cisco WebEx Business Suite clients, Cisco WebEx Meetings, and Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.

    The vulnerability is due to insufficient input validation by the Cisco WebEx clients. An attacker could exploit this vulnerability by providing meeting attendees with a malicious Flash (.swf) file via the file-sharing capabilities of the client. Exploitation of this vulnerability could allow arbitrary code execution on the system of a targeted user.

    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-wbs

Affected Products

Vulnerable Products

This vulnerability disclosed in this advisory affects the clients installed by customers when accessing a WebEx meeting. The following client builds of Cisco WebEx Business Suite (WBS30, WBS31, and WBS32), Cisco WebEx Meetings, and Cisco WebEx Meetings Server are impacted by the vulnerability described in this advisory:

  • Cisco WebEx Business Suite (WBS31) client builds prior to T31.23.2
  • Cisco WebEx Business Suite (WBS32) client builds prior to T32.10
  • Cisco WebEx Meetings with client builds prior to T32.10
  • Cisco WebEx Meetings Server builds prior to 2.8 MR2

To determine whether a Cisco WebEx Business Suite site is running an affected version of the WebEx client build, users can log in to their Cisco WebEx meeting site and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under About Meeting Center. See the “Fixed Software” section for details.

Alternatively, version information of the Cisco WebEx meeting client can be accessed from within the Cisco WebEx meeting client. Version information for the Cisco WebEx meeting client on Windows and Linux platforms can be viewed by choosing Help > About Cisco WebEx Meeting Center. Version information for the Cisco WebEx meeting client on Mac platforms can be viewed by choosing Meeting Center > About Cisco WebEx Meeting Center.

The Cisco WebEx software updates are cumulative in client builds. For example, if client build 30.32.16 is fixed, build 30.32.17 will contain the fix. Cisco WebEx site administrators have access to secondary version nomenclature; for example, T30 SP32 EP 16, which shows that the server is running client build 30.32.16.

Note: Customers who do not receive automatic software updates may be running versions of Cisco WebEx that have reached end of software maintenance and should contact customer support.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this vulnerability.

Leave a Reply