It’s time to patch again the Cisco Webex video conferencing software of your organization to avoid ugly surprise.
The vulnerability could be exploited by an authenticated, local attacker to execute arbitrary commands as a privileged user.
“The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.” states the advisory published by Cisco.
“While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.”
Cisco advisory reveals that the vulnerability could be exploited remotely by leveraging the operating system remote management tools.
The vulnerability could be exploited by a malware or ill-intentioned logged-in user to gain system administrator rights and carry out malicious activities.
The vulnerability affects all Cisco Webex Meetings Desktop App releases prior to 33.6.0, and Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.5, when running on a Microsoft Windows end-user system.
Bowes and McJunkin dubbed the issue WebExec, they explained that it’s a remote vulnerability in a client application that doesn’t even listen on a port.
The experts pointed out that the installation of the WebEx client also include the WebExService that can execute arbitrary commands as a system admin.
“WebExec is a vulnerability in, as the name implies, Cisco’s WebEx client software. This is a pretty unique vulnerability, because it’s a remote vulnerability in a client application that doesn’t even listen on a port.” wrote the experts.
“The summary is: when the WebEx client is installed, it also installs a Windows service called WebExService that can execute arbitrary commands at SYSTEM-level privilege. Due to poor ACLs, any local or domain user can start the process over Window’s remote service interface (except on Windows 10, which requires an administrator login).”
The flaw was discovered 0n July 24, 2018, and it was reported to Cisco on August 6, 2018. On October 24, 2018, the company released the advisory.
In order to allow admins and users to check and exploit the flaw, the security duo created Nmap and Metasploit scripts.
According to Bowes, the exploitation of the flaw is very easy.
“exploiting the vulnerability is actually easier than checking for it!” wrote Bowes.
“The patched version of WebEx still allows remote users to connect to the process and start it. However, if the process detects that it’s being asked to run an executable that is not signed by Webex, the execution will halt.”
(Security Affairs – Cisco Webex, hacking)