ESB-2018.2661 - [Win][Cisco] Cisco Webex products: Multiple vulnerabilities 2018-09-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2661
   Multiple vulnerabilities have been identified in Cisco Webex Products
                             7 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Webex Meetings Client for Windows
                   Cisco Webex Player
                   Cisco Webex Teams
Publisher:         Cisco Systems
Operating System:  Cisco
                   Windows
Impact/Access:     Increased Privileges     -- Existing Account      
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0457 CVE-2018-0436 CVE-2018-0422

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod

Comment: This bulletin contains three (3) Cisco Systems security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security

Cisco Webex Meetings Client for Windows Privilege Escalation Vulnerability

Priority:	  High
Advisory ID:	  cisco-sa-20180905-webex-pe
First Published:  2018 September 5 16:00 GMT
Version 1.0:	  Final
Workarounds:	  No workarounds available
Cisco Bug IDs:	  CSCvh89155, CSCvh89157, CSCvh89158
 
CVE-2018-0422
CWE-264
 
CVSS Score: Base 7.3
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

    A vulnerability in the folder permissions of Cisco Webex Meetings client
    for Windows could allow an authenticated, local attacker to modify locally
    stored files and execute code on a targeted device with the privilege level
    of the user.

    The vulnerability is due to folder permissions that grant a user the
    permission to read, write, and execute files in the Webex folders. An
    attacker could exploit this vulnerability to write malicious files to the
    Webex client directory, affecting all other users of the targeted device. A
    successful exploit could allow a user to execute commands with elevated
    privileges.

    Attacks on single-user systems are less likely to occur, as the attack must
    be carried out by the user on the user's own system. Multiuser systems have
    a higher risk of exploitation because folder permissions have an impact on
    all users of the device. For an attacker to exploit this vulnerability
    successfully, a second user must execute the locally installed malicious
    file to allow remote code execution to occur.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe

Affected Products

    Vulnerable Products

    This vulnerability affects client applications installed from the following
    Cisco Webex Meetings products when running on Microsoft Windows end-user
    systems:

      + Cisco Webex Meetings Suite (WBS31)
      + Cisco Webex Meetings Suite (WBS32)
      + Cisco Webex Meetings Suite (WBS33)
      + Cisco Webex Meetings
      + Cisco Webex Meetings Server

    To determine whether a Cisco Webex meeting site is running an affected
    version of the Webex software, users can log in to their Cisco Webex
    meeting site and go to Support > Downloads. The version of the Webex
    software will be displayed on the right side of the page under About
    Meeting Center. See the Fixed Software section of this advisory for
    details.

    Alternatively, version information for the Cisco Webex meeting client can
    be accessed directly in the client. Version information for the Cisco Webex
    meeting client on Windows platforms can be viewed by choosing Help > About
    Cisco Webex Meeting Center.

    Note: Customers who do not receive automatic software updates may be
    running versions of Cisco Webex Meetings that have reached end of software
    maintenance and should contact the Cisco TAC (Technical Assistance Center).

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Webex
    Meetings client applications running on Mac OS X and Linux operating
    systems.

Workarounds

    There are no workarounds that address this vulnerability.

Fixed Software

    Cisco will release free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Cisco has released new desktop applications to remediate this
    vulnerability. Users must have the new desktop applications installed to
    remediate the vulnerability.

    Users can obtain the installable MSI from their upgraded site. For WBS33,
    the applications are automatically delivered and installed automatically
    when administrative users attend a meeting on a WBS33 site.

    Users without administrative rights will not be able to install the update
    automatically and will require administrators to install the application
    installable MSI on their desktops.

    Due to customers? lock down status of WBS 32, users or IT administrators
    must install the desktop applications manually.

    Users or IT administrators can contact the Cisco TAC to obtain the desktop
    applications? installable MSI prior to their site?s upgrade.

    Customers? sites are being upgraded to make this desktop application
    available to users according to the following schedule:

    Webex      First Fixed Availability
    Major      Release     
    Release    
    
    Cisco
    Webex                  Cisco will not release a new desktop application for
    Meetings   N/A         WBS31 releases. Customers must upgrade to WBS32 or WBS33
    Suite                  and install the appropriate update.
    (WBS31)

                           Released

                           See WBS 32.15.20 availability on your site based on your
    Cisco                  cluster schedule: https://status.webex.com/#/maintenance
    Webex                  /calendar
    Meetings   WBS32.15.20
    Suite                  End users or IT administrators must install new desktop
    (WBS32)                applications manually to remediate the vulnerability.

                           Contact the Cisco TAC to obtain desktop applications?
                           installable MSI prior to availability on your site.

                           Released

                           See WBS33.4 availability on your site based on your
                           cluster schedule: https://status.webex.com/#/maintenance
                           /calendar

                           Users with administrative rights on their desktops will
                           automatically receive a Windows User Account Control
                           (UAC) pop-up window after they join or start a meeting
                           on an updated WBS33.4 site. Users must accept this UAC
                           request to remediate the vulnerability.
    Cisco
    Webex                  Users without administrative rights will not be able to
    Meetings   WBS33.4     install the update automatically and will require
    Suite                  administrators to install the application installable
    (WBS33)                MSI on their desktops.

                           Contact the Cisco TAC to obtain the desktop
                           applications? installable MSI prior to availability on
                           your site.

                           Note that the WBS33.4 installable MSI installs the new
                           Webex Desktop application, which includes the new
                           Outlook plug-in and replaces the older Productivity
                           Tools. Although replacement of Productivity Tools with
                           the new desktop application is highly recommended,
                           please contact the Cisco TAC if this replacement is not
                           desired.

                           Available beginning September 14, 2018
    Cisco
    Webex      1.3.37      Contact the Cisco TAC to obtain the desktop
    Meetings               applications? installable MSI prior to availability on
                           the site.

                           Released
    Cisco
    Webex                  The software is available for download from the Software
    Meetings   3.0MR2      Center on Cisco.com by clicking Browse all and
    Server                 navigating to Conferencing > Web Conferencing > Webex
                           Meetings Server > Webex Meetings Server 3.0 or via
                           direct link.

Fixed software will be available on customers? sites based on the release
    update schedule. Customers will receive a separate communication with the
    update schedule for their site. Customers can also contact the Cisco TAC to
    determine their site?s update schedule.

    To determine whether a meeting site has an updated version of the Cisco
    Webex software, users can sign in to their Cisco Webex Meetings site and go
    to the Support > Downloads section. The version is displayed on the right
    side of the page under About Webex Meetings.

Exploitation and Public Announcements

    The Cisco Product Security Incident Response Team (PSIRT) is aware of
    public announcements of the vulnerability. However, there has been no
    indication of malicious use of the vulnerability that is described in this
    advisory.

Source

    Cisco would like to thank Simon Zuckerbraun, working with Trend Micro's
    Zero Day Initiative (ZDI), for reporting this vulnerability.

    Cisco would also like to thank Ben Cheney from DXC Technology for
    independently reporting this vulnerability.

Cisco Security Vulnerability Policy

    To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

    Subscribe

URL

    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  |         | Final  | 2018-September-05  |
    +----------------------------------------------------------------------------+

- -------------------------------------------------------------------------------

Cisco Security Advisory

Cisco Webex Player WRF Files Denial of Service Vulnerability

Priority:	  Medium
Advisory ID:	  cisco-sa-20180905-webex-player-dos
First Published:  2018 September 5 16:00 GMT
Version 1.0:	  Final
Workarounds:	  No workarounds available
Cisco Bug IDs:	  CSCvi36518, CSCvi36549
 
CVE-2018-0457
CWE-399
 
CVSS Score: Base 5.5
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

    A vulnerability in the Cisco Webex Player for Webex Recording Format (WRF)
    files could allow an unauthenticated, remote attacker to cause a denial of
    service (DoS) condition.

    An attacker could exploit this vulnerability by sending a user a link or
    email attachment with a malicious WRF file and persuading the user to open
    the file in the Cisco Webex Player. A successful exploit could cause the
    affected player to crash, resulting in a DoS condition.

    For more information about this vulnerability, see the Details section of
    this security advisory.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos

Affected Products

  * Vulnerable Products

    This vulnerability affects the Cisco Webex Player that is available from
    Cisco Webex Meetings Suite sites. For information about affected software
    releases, consult the Cisco bug ID(s) at the top of this advisory.

    To determine which version of the Cisco Webex Player is installed, users
    can open the player and choose About from the Help menu.

    Note: Customers who do not receive automatic software updates may be
    running versions of Cisco Webex Meetings that have reached end-of-software
    maintenance and should contact customer support.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Details

  * Cisco Webex Meetings Suite services are hosted multimedia conferencing
    solutions that are managed and maintained by Cisco Webex. The Cisco Webex
    Player is an application that is used to play back Webex meetings that have
    been recorded in WRF format by an online meeting attendee. The Cisco Webex
    Player can be installed only manually from the Cisco Webex site.

    The Cisco Webex Player for WRF files is available only for Cisco Webex
    Meetings Suite (WBS31, WBS32, and WBS33) and Cisco Webex Meetings. The
    affected player is not available for Cisco Webex Meetings Server.

    Windows, Mac OS X, and Linux versions of the Cisco Webex Player are
    affected by the vulnerability described in this advisory.

Workarounds

  * There are no workarounds that address this vulnerability. However, it is
    possible to remove the affected Cisco Webex Player by following the
    software-removal procedure for the operating system. For example, in
    Windows, use Programs and Features to uninstall the affected players.

    To remove Cisco Webex software from a system completely, use the Meeting
    Services Removal Tool (for Microsoft Windows users) or the Mac Webex
    Meeting Application Uninstaller (for Apple Mac OS X users), which are
    available for download from the Cisco Collaboration Help article Cisco
    WebEx and 3rd Party Support Utilities.

    To remove Cisco Webex software from a Linux or UNIX-based system, follow
    the steps in the Cisco Collaboration Help article How Do I Uninstall WebEx
    Software on a Linux or Unix Based System?

Fixed Software

  * For information about fixed software releases, consult the Cisco bug ID(s)
    at the top of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * Cisco would like to thank Liu Yongjun for reporting this vulnerability.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  | ?       | Final  | 2018-September-05  |
    +----------------------------------------------------------------------------+

- -------------------------------------------------------------------------------
Cisco Security Advisory

Cisco Webex Teams Information Disclosure and Modification Vulnerability

Priority:	  High
Advisory ID:	  cisco-sa-20180905-webex-id-mod
First Published:  2018 September 5 16:00 GMT
Version 1.0:	  Final
Workarounds:	  No workarounds available
Cisco Bug IDs:	  CSCvi68464
 
CVE-2018-0436
CWE-284
 
CVSS Score: Base 8.7
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:X/RL:X/RC:X

Summary

  * A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an
    authenticated, remote attacker to view and modify data for an organization
    other than their own organization.

    The vulnerability exists because the affected software performs
    insufficient checks for associations between user accounts and organization
    accounts. An attacker who has administrator or compliance officer
    privileges for one organization account could exploit this vulnerability by
    using those privileges to view and modify data for another organization
    account.

    No customer data was impacted by this vulnerability.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180905-webex-id-mod

Affected Products

  * Vulnerable Products

    This vulnerability affects all versions of Cisco Webex Teams prior to
    Version 20180417-150803.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  * There are no workarounds that address this vulnerability.

Fixed Software

  * Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Cisco fixed this vulnerability in Cisco Webex Teams Versions
    20180417-150803 and later.

    Customers are advised to upgrade to the latest version of Cisco Webex
    Teams.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  * This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  * Subscribe

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod

Revision History

    +----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status |        Date        |
    |---------+--------------------------+---------+--------+--------------------|
    | 1.0     | Initial public release.  | ?       | Final  | 2018-September-05  |
    +----------------------------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW5HT22aOgq3Tt24GAQgTOQ//ZVEULD3cZTlFAqkEQaSvQ0z9/Oi2hjDm
GOP14KEmZcBjbARVDsgYTPkLNcqOkxjIenmG5W6/H2pTywCu+64SnxUmebhOpTI9
bJyW+5YSgMzeNhb6Yf54OFmAoDAGQ00L5yXPMettR/XBmGC1E2PX9EnLDoDODEQQ
MiADZgAuBTJGMXC70+gMjaqCOETOcx1plesGr0tPo4WvQDSAx68WsO129+IGIZoc
jCNC5lsvo+yvzEoUu/C++5h9n9/p0X5boHLSAMj+KIWt62YYgT3475JQR5Bg1UvD
QLNwhupeg5k6mdZVCQZRTQOBeYX6TYWIQCXlATHxhqaMUQP+oz++RYEcJPX25fwa
eDGQQ3aMlfbikix9T7iheaWyebXXc7UPYuJHufuoHf93u/nkGwbhzGLh/ChO1a9I
Fe72cL2/r53/0SB+sg3B6yHJ9x96eCjjWSXCmUay93rpGTlZIascFPCXCoYuRf8h
Cm4kT1PjuOY0J9GulcF/6RmSigke8v4+eDjZYytVoBL9Az8R/4VQyRlYK6TRacVG
tuTCMnk/S6PCUVgnjxbAxcTKgvBTdR5UriwVRYwj4Vai12TATkAIFQTARBuJ1iRc
taClxeIBD/rBNNDla8qLGxZcnO3v6gF+iOpszbbvUe6oJjuGnpmrHOFbpQjhozfV
Ch334T8Zlz8=
=3QfF
-----END PGP SIGNATURE-----

« Back to bulletins