ESB-2017.1576 - [Win][OSX] Cisco WebEx Network Recording Player: Execute arbitrary code/commands - Remote with user interaction 2017-06-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1576
           Cisco WebEx Network Recording Player Multiple Buffer
                         Overflow Vulnerabilities
                               22 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco WebEx Network Recording Player
Publisher:         Cisco Systems
Operating System:  Windows
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-6669  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-wnrp

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Cisco WebEx Network Recording Player Multiple Buffer Overflow Vulnerabilities

High

Advisory ID:
cisco-sa-20170621-wnrp

First Published:
2017 June 21 16:00  GMT

Version 1.0:
Final

Workarounds:
No workarounds available

Cisco Bug IDs:
CSCvc47758
CSCvc51227
CSCvc51242
CVE-2017-6669
CWE-119

CVSS Score:
Base 7.3, Temporal 7.3
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
CVE-2017-6669
CWE-119

Summary

    Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Network
    Recording Player for Advanced Recording Format (ARF) files. An attacker
    could exploit these vulnerabilities by providing a user with a malicious
    ARF file via email or URL and convincing the user to launch the file.
    Exploitation of these vulnerabilities could cause an affected player to
    crash and, in some cases, could allow arbitrary code execution on the
    system of a targeted user.

    The Cisco WebEx Network Recording Player is an application that is used to
    play back WebEx meeting recordings that have been recorded on the computer
    of an online meeting attendee. The player can be automatically installed
    when the user accesses a recording file that is hosted on a WebEx server.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-wnrp

Affected Products

   Vulnerable Products

    This vulnerability affects the Cisco WebEx ARF Player. The following client
    builds are affected by this vulnerability:
       Cisco WebEx Business Suite (WBS29) client builds prior to T29.13.130
       Cisco WebEx Business Suite (WBS30) client builds prior to T30.17
       Cisco WebEx Business Suite (WBS31) client builds prior to T31.10
    To determine whether a Cisco WebEx meeting site is running an affected
    version of the WebEx client build, users can log in to their Cisco WebEx
    meeting site and go to the Support > Downloads section. The version of the
    WebEx client build will be displayed on the right side of the page under
    "About Support Center."

    Alternatively, version information of the Cisco WebEx Meeting client can be
    accessed from within the Cisco WebEx Meeting client. Version information
    for the Cisco WebEx meeting client on Windows and Linux platforms can be
    viewed by choosing Help > About Cisco WebEx Meeting Center. Version
    information for the Cisco WebEx meeting client on Mac platforms can be
    viewed by choosing Meeting Center > About Cisco WebEx Meeting Center.

    The Cisco WebEx software updates are cumulative in client builds. For
    example, if client build 29.32.16 is fixed, build 29.32.17 will contain
    updated software. Cisco WebEx site administrators have access to secondary
    version nomenclature, for example, T29 SP32 EP16, which shows that the
    server is running client build 29.32.16.

    Note: Customers who do not receive automatic software updates may be
    running versions of Cisco WebEx that have reached end of software
    maintenance and should contact customer support.

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this
    vulnerability.

    Cisco has confirmed that this vulnerability does not affect the Cisco WebEx
    WRF Player.

Details

    The Cisco WebEx Business Suite (WBS) meeting services are a hosted
    multimedia conferencing solution that is managed and maintained by Cisco
    WebEx. The Cisco WebEx Meetings Server is a multimedia conferencing
    solution that customers can host in their private clouds.

    The ARF file format is used to store WebEx meeting recordings that have
    been recorded on a WebEx meeting site.

    The Cisco WebEx ARF Player is an application that is used to play back and
    edit WebEx ARF recording files (files with .arf extensions).

    The Cisco WebEx ARF Player can be automatically installed when the user
    accesses a recording file that is hosted on a WebEx meeting site (for
    stream playback mode). The Cisco WebEx ARF Player can also be manually
    installed after downloading the application from http://www.webex.com/
    play-webex-recording.html to play back recording files for offline
    playback.

    The Cisco WebEx ARF Player is available for all Cisco WebEx Business Suite
    clients (WBS29, WBS30, and WBS31), Cisco WebEx Meetings, and for Cisco
    WebEx Meetings Server clients.

    Exploitation of this vulnerability may cause player applications to crash
    or, in some cases, remote code execution could occur.

    To exploit this vulnerability, the player application would need to open a
    malicious ARF file. An attacker may be able to accomplish this exploit by
    providing the malicious recording file directly to users (for example, by
    using email), or by directing a user to a malicious web page. The
    vulnerabilities cannot be triggered by users who are attending a WebEx
    meeting.

Workarounds

    There are no workarounds that address this vulnerability. However, it is
    possible to remove all WebEx software completely from a system using the
    Meeting Services Removal Tool (for Microsoft Windows users) or Mac
    Cisco-WebEx Uninstaller (for Apple Mac OS X users) available at https://
    help.webex.com/docs/DOC-2672.

    Removal of WebEx software from a Linux or UNIX-based system can be
    accomplished by following the steps in the WebEx knowledge base help
    article at the following link: https://support.webex.com/MyAccountWeb/
    knowledgeBase.do?root=Tools&parent=Knowledge&articleId=WBX28548&
    txtSearchQuery=uninstall%20linux#.

Fixed Software

    Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to upgrade contain
    sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    The following client builds of Cisco WebEx Business Suite (WBS29, WBS30,
    WBS31) address this vulnerability:
       Cisco WebEx Business Suite (WBS29) client builds T29.13.130 or later
       Cisco WebEx Business Suite (WBS30) client builds T30.17 or later
       Cisco WebEx Business Suite (WBS31) client builds T31.10 or later
    To determine whether a Cisco WebEx meeting site is running an affected
    version of the WebEx client build, users can log in to their Cisco WebEx
    meeting site and go to the Support > Downloads section. The version of the
    WebEx client build will be displayed on the right side of the page under
    "About Support Center." The Cisco WebEx software updates are cumulative in
    client builds. For example, if client build 29.32.16 is fixed, build
    29.32.17 will contain updated software.

    Users who have downloaded the ARF player directly from the WebEx site can
    update their player manually by downloading the application from http://
    www.webex.com/play-webex-recording.html.

    NOTE: Users whose WebEx Business Suites are on lockdown will need to
    contact WebEx Support to apply the appropriate patch to their WebEx site.

Exploitation and Public Announcements

    The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

    This vulnerability was reported to Cisco by Trend Micro.

Cisco Security Vulnerability Policy

    To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

   Subscribe

URL

   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-wnrp

Revision History

     Version   Description  	        Section     Status   Date      
    
     1.0       Initial public release.              Final    2017-June-21   

Legal Disclaimer

    THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

    To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

    Subscribe

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWUtf0Yx+lLeg9Ub1AQjH6Q/+JCYNneFbLVT0ztyPgah1eZ2gRmPXFxct
+bhkoAfakWQqkhZUDqlEsRTqC2M9SOjOPDrdeHVGYZxj7ynXHxIkRawTz+9pQH7f
ZLlck7mXjncvvN5PU4+hh1Gxr7pbik+2QnEzb/+aunZeadqZCWyG4FJyb8oT6Hvb
1NWraT2IE/Jg3bt9DoYhhJKbDCx3SWIgRjeOjU14RkR8+eFrz3Zxyg57M821UeZs
x0VPJssZr1V666Nix0ISFvuMC71DjDgH4IUaeui1T8kRauRsAxYRcd8LCvz09QH6
3ctZKq0U7L1RIDFMy28ISI14e5GdxDjs940hQWsFPeDS94qEop3xGqJxfxb5PfUE
W0pYkej4eAmNUAOulKDFE3NQDVXoVKcOlM2cXqIsycgvmpNthEOh9Qt7XRHc/Yu+
74WIAk3Y27c5zml7Si/fBYP8+CWkQ7pVG1xe13FFp1BHUXmr4onBLOf1XjN00l6I
aVaWPCSrSvpnuuoMONj/9hha7aLbJfmsq2Ug2NCMGoQaryJFh6jC49SvYcw7nFrp
/tzDQ5Ex48y3an/rmDIOKy1epJtsSOLkR4GEKV0PfRGT793N2WLiBOOvMMdc5HP/
8pPIKG0vn5wtjli7VfYZI8OrlBXe8bVxv/FH4kacK3GqL5nr890xoOIpd6Y0Cwe7
3/BBuw/FQxk=
=lsW1
-----END PGP SIGNATURE-----

« Back to bulletins