Reading risk for remote working technology resolved
Cisco has warned that the vulnerabilities in its Web conferencing and Webex video conferencing applications pose a risk of remote code execution (RCE).
Users of Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows are invited to apply patches, released Wednesday by the network giant.
The security flaws stem from “insufficient validation of certain elements of a Webex record stored in the advanced recording format (ARF) or in the Webex recording format (WRF)”, explains the opinion of Cisco.
Reading risk
Cisco Webex Meetings services can be configured to allow users to store meeting recordings online and download these recordings as ARF files. These services can also be configured to allow users to save meetings directly to their local computers as WRF files.
The Cisco Webex Network Recording Player and the Cisco Webex Player are used to read ARF files, respectively.
The attacks could deceive potential brands by opening a malicious ARF or WRF file on a system running vulnerable versions of the web conferencing software.
The attack would involve an element of social engineering, as it would either entice victims to visit a booby-trapped website, or open the attachment of a phishing email.
Both tactics are well-practiced attack tricks, so the risk posed by the vulnerability is far too real.
Bad timing
The moment of the Cisco Webex security breach comes at a particularly bad time when many organizations around the world are considering greater use of remote working technologies such as videoconferencing in response to the coronavirus epidemic.
The vulnerabilities mean that versions of Webex Network Recording Player and Webex Player prior to version 1.3.49 must be fixed.
Cisco Webex meetings prior to WBS 39.5.17 or WBS 39.11.0 must also be updated.
Cisco Webex Meetings Server, private cloud-based versions of the technology, earlier than version 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2 also require security triage.
Cisco credited Francis Provencher, in collaboration with Trend Micro Zero Day Initiative, and Kexu Wang of FortiGuard Labs of Fortinet for the vulnerabilities CVE-2020-3127 and CVE-2020-3128 in Cisco Webex.
In related patch development, Cisco also released a patch for a lower information disclosure vulnerability in its macOS X Webex client on Wednesday.
Security breaches in the configuration of the Cisco Webex Meetings Client’s multicast DNS protocol for MacOS could allow an “unauthenticated adjacent attacker to obtain sensitive information on the device on which the Webex client is running”, explains Cisco in a notice.
READ MORE Microsoft Exchange Server administrators urged to treat encryption key flaw as “critical”