ESB-2017.1765.2 - UPDATE ALERT [Win] Cisco WebEx extensions: Execute arbitrary code/commands - Remote with user interaction 2017-07-24

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.1765.2
     Cisco WebEx Browser Extension Remote Code Execution Vulnerability
                               24 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco WebEx extensions for Google Chrome
                   Cisco WebEx extensions for Mozilla Firefox
                   Cisco WebEx Desktop Applications
Publisher:         Cisco Systems
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-6753  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex

Revision History:  July 24 2017: Included browser auto-update information.
                   July 18 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco WebEx Browser Extension Remote Code Execution Vulnerability

Critical

Advisory ID: cisco-sa-20170717-webex

First Published: 2017 July 17 16:00 GMT

Last Updated: 2017 July 19 23:01 GMT

Version 1.2: Final

Workarounds: No workarounds available

Cisco Bug IDs:

CSCvf15012

CSCvf15020

CSCvf15030

CVSS Score:

Base 9.6, Temporal 9.6

Base 9.6, Temporal 9.6 
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X

CVE-2017-6753

CWE-119

Summary

A vulnerability in Cisco WebEx browser extensions for Google Chrome and 
Mozilla Firefox could allow an unauthenticated, remote attacker to execute 
arbitrary code with the privileges of the affected browser on an affected 
system. This vulnerability affects the browser extensions for Cisco WebEx 
Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training 
Center, and Support Center), and Cisco WebEx Meetings when they are running on
Microsoft Windows.

The vulnerability is due to a design defect in the extension. An attacker who
can convince an affected user to visit an attacker-controlled web page or 
follow an attacker-supplied link with an affected browser could exploit the 
vulnerability. If successful, the attacker could execute arbitrary code with 
the privileges of the affected browser.

Cisco has released software updates for Google Chrome and Mozilla Firefox that
address this vulnerability. There are no workarounds that address this 
vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex

Affected Products

Vulnerable Products

This vulnerability affects Cisco WebEx extensions for Windows when running on
most supported browsers. The affected browsers are Google Chrome and Mozilla 
Firefox.

The following versions of the Cisco WebEx browser extensions are affected by 
the vulnerability described in this document:

Versions prior to 1.0.12 of the Cisco WebEx extension on Google Chrome

Versions prior to 1.0.12 of the Cisco WebEx extension on Mozilla Firefox

Customers can use the following steps to determine which versions of the Cisco
WebEx extensions are being used.

Google Chrome

Chrome users can determine the version of the Cisco WebEx extension for Google
Chrome by doing the following:

In Chrome, click the menu button (three dots at the upper right of the 
application) and choose More Tools > Extensions

The extension version is listed next to the Cisco WebEx extension name.

The Cisco WebEx extension for Google Chrome identification string, which 
organizations can use to identify hosts that contain the extension, is the 
following:

jlhmfgmfgeifomenelglieieghnjghma

Mozilla Firefox

Firefox users can determine the version of the Cisco WebEx extension for 
Mozilla Firefox by doing the following:

In Firefox, click the menu button (three horizontal bars at the upper right of
the application) and choose Add-ons

Click the Extensions tab

Locate Cisco WebEx Extension in the list of extensions and click the More link
to obtain the version information

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this 
vulnerability.

Cisco has confirmed that this vulnerability does not affect the following 
products:

Cisco WebEx Productivity Tools

Cisco WebEx browser extensions for Mac or Linux

Cisco WebEx on Microsoft Edge or Internet Explorer

Workarounds

There are no workarounds that address this vulnerability. However, Windows 
users may use Internet Explorer and administrators and users of Windows 10 
systems may use Microsoft Edge to join and participate in WebEx sessions 
because Microsoft Internet Explorer and Microsoft Edge are not affected by 
this vulnerability. Additionally, administrators and users can remove all 
WebEx software from a Windows system by using the Meeting Services Removal 
Tool, which is available from https://help.webex.com/docs/DOC-2672.

Fixed Software

Cisco has released free software updates that address the vulnerability 
described in this advisory. Customers may only install and expect support for
software versions and feature sets for which they have purchased a license. By
installing, downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Additionally, customers may only download software for which they have a valid
license, procured from Cisco directly, or through a Cisco authorized reseller
or partner. In most cases this will be a maintenance upgrade to software that
was previously purchased. Free security software updates do not entitle 
customers to a new software license, additional software feature sets, or 
major revision upgrades.

When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade 
solution.

In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software 
configurations will continue to be supported properly by the new release. If 
the information is not clear, customers are advised to contact the Cisco 
Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service 
contract and customers who make purchases through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale should 
obtain upgrades by contacting the Cisco TAC:

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Customers should have the product serial number available and be prepared to 
provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

To resolve the vulnerability, users must ensure that they have updated 
versions of the following:

Cisco WebEx extensions for Google Chrome or Mozilla Firefox

Cisco WebEx Desktop Applications

For the latest information about fixes for the following products, consult the
appropriate Cisco bug ID:

Cisco WebEx Meeting Center: CSCvf15012

Cisco WebEx Event Center: CSCvf15036

Cisco WebEx Training Center: CSCvf15033

Cisco WebEx Support Center: CSCvf15037

Cisco WebEx Meetings Server: CSCvf15020

Cisco WebEx Meetings: CSCvf15030

Browser Updates

The following subsections provide instructions for updating the Cisco WebEx 
browser extensions. Customers can allow their browsers to auto-update by 
launching the browser and keeping the browser window open for 3-6 hours, 
during which time the extensions will be auto-updated.

Note: Should the browser window close before the auto-update check completes,
the timer will reset, requiring a browser window to be launched at a later 
time and remain open for 3-6 hours to receive the update.

Google Chrome

The Cisco WebEx extension for Google Chrome version 1.0.12 was released on 
July 13, 2017, and contains a fix for this vulnerability. Chrome users can 
ensure they are using the fixed version of the Cisco WebEx extension for 
Google Chrome by doing the following:

In Chrome, click the menu button (three dots at the upper right of the 
application) and choose More Tools > Extensions.

Check the Developer mode check box at the top of the extensions manager. 
Chrome will display a row of buttons.

Click the Update extensions now button.

Restart the Chrome browser.

Mozilla Firefox

The Cisco WebEx extension for Mozilla Firefox version 1.0.12 was released on 
July 12, 2017, and contains a fix for this vulnerability. Firefox users can 
ensure they are using the fixed version of the Cisco WebEx extension for 
Mozilla Firefox by doing the following:

In Firefox, click the menu button (three horizontal bars at the upper right of
the application) and choose Add-ons

Click the Extensions tab

Locate Cisco WebEx Extension in the list of extensions and click the More link
to obtain the version information

Click the cogwheel next to the search bar and choose Check for Updates

Microsoft Internet Explorer

Because there are shared components between the Google Chrome and Mozilla 
Firefox extensions and Internet Explorer, Internet Explorer users will be 
prompted to update Cisco WebEx plug-ins. The plug-ins are available as part of
the Cisco WebEx client packages associated with each WebEx product, and will 
be available to download after a WebEx site has been upgraded to a fixed 
version. Upgraded clients are available from the Downloads section of each 
site after an upgrade has been performed. Users that connect to an upgraded 
site without the updated client software may be prompted to perform an online
upgrade.

Customers may check that the browser plug-in upgrade was successful by using 
the following procedures for Microsoft Internet Explorer:

Note: The registered name of the plug-in in Internet Explorer may differ based
on the installation method used for the plug-in. The version of the plug-in 
depends on the version of Cisco WebEx that provided the update. The update may
have been applied either via the web when joining a WebEx meeting or by a 
local update of the client via an MSI file. When a fixed version of the 
plug-in from any version of Cisco WebEx is installed, it will not be 
downgraded or changed to a version installed by a different fixed version of 
Cisco WebEx. Internet Explorer users can ensure they are using the fixed 
version of the plug-in for Internet Explorer by doing the following:

In Internet Explorer, click the Tools button (the cog icon at the upper right
of the application) and choose Manage add-ons.

- From the Show drop-down menu, choose All add-ons.

Select either the Download Manager or GpcContainer Class add-on under Cisco 
WebEx LLC. The version number is displayed at the bottom of the Manage add-ons
window.

Validate that the Download Manager version or GpcContainer Class version 
displayed is one of the version strings in the following table:

Cisco WebEx Major Version    Fixed GPC Container or Download Manager Version

32.3.4.5                     10032.3.2017.711
31.14.3.30                   10031.14.2017.711
31.11.11                     10031.11.2017.0713
30.20.3.10012                10030.100.2017.0711
30.9.3                       10030.100.2017.0713
30.6.7                       10030.100.2017.0713


Validating Cisco WebEx Desktop Application Product Upgrades

Cisco has released fixes for all major versions for Cisco WebEx Desktop 
Application for use with following products:

Cisco WebEx Meeting Center

Cisco WebEx Event Center

Cisco WebEx Training Center

Cisco WebEx Support Center

Cisco WebEx Meetings


Cisco WebEx Major Version    Fixed Desktop Application Version

WBS32                        32.3.4.5
WBS31                        31.14.3, 31.11.11
WBS30                        30.20.3, 30.9.3, 30.6.7


Note: There are no fixes available for WBS29.

Current WebEx customers can confirm that their site has received updated 
software by reviewing the Application Version information in the Support 
section of their WebEx page. Perform the following steps to view this 
information:

Sign in to your WebEx account

Click the Meeting Center tab

Under Support, click Downloads

The Application Version is displayed on the right side of the screen under the
About Meeting Center heading

If you have not automatically received the update, please contact Cisco 
Support or a Cisco partner.

Note: The clients for all licensed features of a Cisco WebEx product must be 
upgraded to ensure compatibility with the deployed site application version. 
Upgrading a single client will resolve the vulnerability documented by 
CVE-2017-6753. The following clients are available:

Cisco WebEx Meeting Center Client

Cisco WebEx Event Center Client

Cisco WebEx Training Center Client

Cisco WebEx Support Center Client

Cisco WebEx Access Anywhere Client

Cisco WebEx Remote Access Client

Cisco WebEx Meetings

Cisco has released a fix for Cisco WebEx Meetings. Cisco WebEx Meetings 
Software has been upgraded to T30.20.3.

Cisco WebEx Meetings Server

Customers who have deployed Cisco WebEx Meetings Server, the onsite Cisco 
WebEx offering, can download updated software at 
https://software.cisco.com/download/navigator.html?mdfid=282628019&flowid=76922
or choose the following options from the Cisco Software Center:

Products > Conferencing > Web Conferencing > WebEx Meetings Server

Cisco WebEx Meetings Server version 2.6 customers should migrate to Cisco 
WebEx Meetings Server 2.7 or later. The following releases of Cisco WebEx 
Meetings Server have been updated to address this vulnerability:

WebEx Meetings Server 2.7MR2 Patch 9

WebEx Meetings Server 2.8 Patch 3

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described 
in this advisory.

Source

This vulnerability was reported to Cisco by Tavis Ormandy of Google Project 
Zero and Cris Neckar of Divergent Security.

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex

Revision History

  Version  Description                                Section         Status    Date
      1.2  Included browser auto-update information.  Fixed Software  Final     2017-July-19
      1.1  Modified workarounds section.              Workarounds     Final     2017-July-18
      1    Initial public release.                                    Final     2017-July-17


LEGAL DISCLAIMER

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF 
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO 
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the 
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end 
users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWXVrgIx+lLeg9Ub1AQjyWA//XYP6clhG3E/5/3fLE/xcwr61OkGFzopr
CNH0lZUiI8wo664DJvwRgFf8sKdcmyK7riURZJ1Xd7JxGNUFVB6l6ZxDWm7OW1+f
+q3juxsMMFbnUNqqQ2H9+kESH+TIaIIcPeb3hru8RrN+o0fhJiTVYxj+dXpSgV+7
8DKk4govvAdFmEMOi7QYAZz9f/CENmsZtdy3QcIIkulg86UDQdCsYWOV4XMlTpE6
SNBZG3GyBnjvJjpdRf/u62X8H+TtnJ0+JsuE/nk/ZXsquWbF7OOS0glwSwW5sklh
IlRKm1wAv2NP6DfpIlkbp+xs7IpTGnGurkpA6uxISfJ9tC8PRxdwMCCIUq9TvPSR
qyKAuSKkcpjyeSxwpZ26J+OAOm1i+SW6LGsDGrti4+dRvLYDJJPUdo8BIpH4W87Q
nqviXjg3192npTQ94xVjI9GlrPSN8/yvb5iBbBfKTGO1Ce4Wy2vV40XCVXjjp3ZJ
J2mBnZxAI9c793wM99s+z5MDBibzYkHBsmmURzEpxZeTwqGP163Fsip3SN/Jnbiw
6WpJQfKsPwlxsZdnzQUPauoS0g5+cGc0gCrevIkXiDd2mZF4KtUtPkjegQJSdJVJ
wPJWbMkyGD/wdrnJgR2MJZZYX+Nljv+upllad178KL86Pd6PFopVE1xU05K2ConK
D4J7odcoZmU=
=ov7n
-----END PGP SIGNATURE-----

« Back to bulletins