ESB-2018.3002 - [Win][Cisco] Cisco Webex Network Recording Player and Cisco Webex Player: Execute arbitrary code/commands - Remote with user interaction 2018-10-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3002
        Cisco Webex Network Recording Player and Cisco Webex Player
                   Remote Code Execution Vulnerabilities
                              4 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Webex Network Recording Player
                   Cisco Webex Player
Publisher:         Cisco Systems
Operating System:  Cisco
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-15431 CVE-2018-15420 CVE-2018-15419
                   CVE-2018-15418 CVE-2018-15417 CVE-2018-15416
                   CVE-2018-15415 CVE-2018-15413 CVE-2018-15412
                   CVE-2018-15411 CVE-2018-15410 CVE-2018-15409
                   CVE-2018-15408  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-webex-rce

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Cisco Webex Network Recording Player and Cisco Webex Player Remote Code
Execution Vulnerabilities

Priority:		High
Advisory ID:		cisco-sa-20181003-webex-rce
First Published:	2018 October 3 16:00 GMT
Version 1.0:		Final
Workarounds:		No workarounds available
Cisco Bug IDs:		CSCvj83752, CSCvj83767, CSCvj83771, CSCvj83793,
			CSCvj83797, CSCvj83803, CSCvj83818, CSCvj83824, 
			CSCvj83831, CSCvj87929,	CSCvj87934, CSCvj93870, 
			CSCvj93877, CSCvk31089, CSCvk33049, CSCvk52510, 
			CSCvk52518, CSCvk52521, CSCvk59945, CSCvk59949, 
			CSCvk59950, CSCvk60158, CSCvk60163, CSCvm51315, 
			CSCvm51318, CSCvm51361, CSCvm51371, CSCvm51373, 
			CSCvm51374, CSCvm51382, CSCvm51386, CSCvm51391, 
			CSCvm51393, CSCvm51396, CSCvm51398, CSCvm51412, 
			CSCvm51413, CSCvm54531, CSCvm54538, CSCvj83752, 
			CSCvj83767, CSCvj83771 
CVE-2018-15408
CVE-2018-15409
CVE-2018-15410
CVE-2018-15411
CVE-2018-15412
CVE-2018-15413
CVE-2018-15415
CVE-2018-15416
CVE-2018-15417
CVE-2018-15418
CVE-2018-15419
CVE-2018-15420
CVE-2018-15431
CVE-2018-15408
CVE-2018-15409
CVE-2018-15410
CWE-20
 
CVSS Score:		Base 7.8
CVSS:			3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  * Multiple vulnerabilities in the Cisco Webex Network Recording Player for
    Microsoft Windows and the Cisco Webex Player for Microsoft Windows could
    allow an attacker to execute arbitrary code on an affected system.

    The vulnerabilities exist because the affected software improperly
    validates Advanced Recording Format (ARF) and Webex Recording Format (WRF)
    files. An attacker could exploit these vulnerabilities by sending a user a
    malicious ARF or WRF file via a link or an email attachment and persuading
    the user to open the file by using the affected software. A successful
    exploit could allow the attacker to execute arbitrary code on the affected
    system.

    Cisco has released software updates that address these vulnerabilities.
    There are no workarounds that address these vulnerabilities.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-webex-rce

Affected Products

  * Vulnerable Products

    These vulnerabilities affect the following versions of the Cisco Webex
    Network Recording Player for Microsoft Windows and the Cisco Webex Player
    for Microsoft Windows, which are available from Cisco Webex Business Suite
    sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings Server:

      + Cisco Webex Business Suite WBS31 sites ? All Webex Network Recording
        Player and Webex Player versions prior to Version WBS31.23
      + Cisco Webex Business Suite WBS32 sites ? All Webex Network Recording
        Player and Webex Player versions prior to Version WBS32.15.20
      + Cisco Webex Business Suite WBS33 sites ? All Webex Network Recording
        Player and Webex Player versions prior to Version WBS33.4
      + Cisco Webex Meetings Online ? All Webex Network Recording Player and
        Webex Player versions prior to Version 1.3.37
      + Cisco Webex Meetings Server ? All Webex Network Recording Player
        versions prior to Version 3.0MR2 Patch 1

    To determine which version of the Cisco Webex Network Recording Player or
    the Cisco Webex Player is installed on a system, users can open the player
    and choose Help > About.

    Note: Customers should contact Cisco Webex Customer Support if they do not
    receive automatic software updates and are running a vulnerable software
    version that has reached the end-of-software-maintenance milestone.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

    Cisco has confirmed that these vulnerabilities do not affect the Apple Mac
    OS X or Linux versions of the Cisco Webex Network Recording Player or the
    Cisco Webex Player.

Details

  * Cisco Webex Business Suite services and Cisco Webex Meetings Online are
    hosted, multimedia conferencing solutions that are managed and maintained
    by Cisco Webex. Cisco Webex Meetings Server is a multimedia conferencing
    solution that customers host, manage, and maintain in their private clouds.

    Cisco Webex Business Suite services can be configured to allow users to
    store meeting recordings online and download those recordings as ARF files.
    These services can also be configured to allow users to record meetings
    directly on their local computers as WRF files.

    The Cisco Webex Network Recording Player is the application that is used to
    play back ARF files. It is available from Cisco Webex Business Suite sites
    (WBS31, WBS32, and WBS33), Cisco Webex Meetings Online, and Cisco Webex
    Meetings Server. The player can be installed manually from the Cisco Webex
    website or automatically when a user accesses an ARF file for streaming
    playback from a Cisco Webex Business Suite site.

    The Cisco Webex Player is the application that is used to play back WRF
    files. It is available from Cisco Webex Business Suite sites (WBS31, WBS32,
    and WBS33) and Cisco Webex Meetings Online. It is not available from Cisco
    Webex Meetings Server. The player can also be installed manually from the
    Cisco Webex website.

Workarounds

  * There are no workarounds that address these vulnerabilities. However,
    customers may remove the Cisco Webex Network Recording Player and the Cisco
    Webex Player from a system by using the software-removal procedure for the
    operating system. For example, to remove a player from a Microsoft Windows
    10 system, customers can use the Apps & Features app in the Windows
    Settings app.

    To remove all Cisco Webex software from a Microsoft Windows system,
    customers can use the Meeting Services Removal Tool, which is available for
    download from the Cisco Collaboration Help article, Cisco Webex and 3rd
    Party Support Utilities.

Fixed Software

  * Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Versions

    Cisco fixed these vulnerabilities in the following versions of the Cisco
    Webex Network Recording Player and the Cisco Webex Player:

      + Cisco Webex Business Suite WBS32 sites ? Webex Network Recording Player
        and Webex Player Versions WBS32.15.30 and later
      + Cisco Webex Business Suite WBS33 sites ? Webex Network Recording Player
        and Webex Player Versions WBS33.5 and later
      + Cisco Webex Meetings Online ? Webex Network Recording Player and Webex
        Player Versions 1.3.39 and later
      + Cisco Webex Meetings Server ? Webex Network Recording Player Versions
        3.0MR2 Patch 1 and later

    Cisco has not and will not fix all these vulnerabilities in Cisco Webex
    Business Suite WBS31 sites because those sites have reached the
    end-of-version-support milestone. For information about this milestone and
    the upgrade plans for WBS31 sites, see Cisco Webex Meetings Suite
    End-of-Version Support Policy.

    Customers can upgrade to a fixed version of the Cisco Webex Network
    Recording Player in either of two ways:

      + Automatically: The player will be automatically upgraded to the latest
        version of the software when a user accesses an ARF file that is hosted
        on a Cisco Webex Business Suite site (WBS32 or WBS33), Cisco Webex
        Meetings Online site, or Cisco Webex Meetings Server.
      + Manually: The player can be downloaded and installed from https://
        www.webex.com/play-webex-recording.html.

    Note: Customers who use locked-down Cisco Webex sites will not receive
    updated versions of the Cisco Webex Network Recording Player automatically.
    These customers should contact Cisco Webex Customer Support to obtain
    updates or obtain the latest version of the player from https://
    www.webex.com/play-webex-recording.html.

    Customers can upgrade to a fixed version of the Cisco Webex Player by
    uninstalling their current version of the player and then downloading and
    installing the latest version of the player from https://www.webex.com/
    play-webex-recording.html.

    The following table lists the Cisco bug IDs and fixed versions of the
    software for each vulnerability that is described in this advisory.
    Customers are advised to upgrade to an appropriate version as indicated in
    the table.

                                          Fixed Versions
               Webex Meetings   Webex Meetings  Webex Meetings  Webex     Webex
    Cisco Bug  Suite            Suite           Suite           Meetings  Meetings
    ID         WBS31 Sites      WBS32 Sites     WBS33 Sites     Server    Online
                                    CVE-2018-15408
    CSCvj87934                  32.15.30 or     33.3 or later              
                                later
    CSCvm51315                                                  3.0MR2     
                                                                Patch 1
    CSCvm51318                                                            1.3.37
                                    CVE-2018-15409
    CSCvj83752 31.23.4 or later 32.15.10 or     33.3 or later              
                                later
    CSCvj83767                                                  3.0MR2     
    CSCvj83771                                                            1.3.37
                                    CVE-2018-15410
    CSCvj83793 31.23.0 or later 32.15.10 or     33.5 or later              
                                later
    CSCvj83797                                                  3.0MR2     
    CSCvj83803                                                            1.3.37
                                    CVE-2018-15411
    CSCvk60158                  32.15.30 or     33.4 or later              
                                later
    CSCvm51361                                                  3.0MR2     
                                                                Patch 1
    CSCvm51371                                                            1.3.37
                                    CVE-2018-15412
    CSCvj93877                  32.15.30 or     33.3 or later              
                                later
    CSCvm51373                                                  3.0MR2     
                                                                Patch 1
    CSCvm51374                                                            1.3.37
                                    CVE-2018-15413
    CSCvk52518                  32.15.20 or     33.4 or later              
                                later
    CSCvk52510                                                  3.0MR2     
    CSCvk52521                                                            1.3.39
                                    CVE-2018-15415
    CSCvk59945                  32.15.10 or     33.4 or later              
                                later
    CSCvk59949                                                  3.0MR2     
    CSCvk59950                                                            1.3.37
                                    CVE-2018-15416
    CSCvj87929                  32.15.10 or     33.3 or later              
                                later
    CSCvm51382                                                  3.0MR2     
    CSCvm51386                                                            1.3.37
                                    CVE-2018-15417
    CSCvk60163                  32.15.30 or     33.4 or later              
                                later
    CSCvm51391                                                  3.0MR2     
                                                                Patch 1
    CSCvm51393                                                            1.3.37
                                    CVE-2018-15418
    CSCvj83818 31.23.0 or later 32.15.10 or     33.5 or later              
                                later
    CSCvj83824                                                  3.0MR2     
    CSCvj83831                                                            1.3.37
                                    CVE-2018-15419
    CSCvk31089                  32.15.30 or     33.3 or later              
                                later
    CSCvm54531                                                  3.0MR2     
                                                                Patch 1
    CSCvm54538                                                            1.3.38
                                    CVE-2018-15420
    CSCvj93870                  32.15.30 or     33.3 or later              
                                later
    CSCvm51396                                                  3.0MR2     
                                                                Patch 1
    CSCvm51398                                                            1.3.37
                                    CVE-2018-15431
    CSCvk33049                  32.15.30 or                                
                                later
    CSCvm51413                                                  3.0MR2     
                                                                Patch 1
    CSCvm51412                                                            1.3.38

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerabilities that are
    described in this advisory.

Source

  * Cisco would like to thank Trend Micro's Zero Day Initiative for reporting
    the following vulnerabilities: CVE-2018-15408, CVE-2018-15409,
    CVE-2018-15411, CVE-2018-15412, CVE-2018-15413, CVE-2018-15415,
    CVE-2018-15416, CVE-2018-15417, and CVE-2018-15420

    Cisco would like to thank Steven Seeley (mr_me) of Source Incite, working
    with Trend Micro's Zero Day Initiative, for reporting the following
    vulnerabilities: CVE-2018-15410 and CVE-2018-15418

    Cisco would like to thank Michael Flanders, working with Trend Micro's Zero
    Day Initiative, for reporting the following vulnerability: CVE-2018-15416

    Cisco would like to thank Yonghui Han of Fortinet FortiGuard Labs for
    reporting the following vulnerability: CVE-2018-15419

    Cisco would like to thank Fortinet FortiGuard Labs for reporting the
    following vulnerability: CVE-2018-15431

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.


URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-webex-rce

Revision History

    +-----------------------------------------------------------------------------+
    | Version  |        Description        | Section  | Status |       Date       |
    |----------+---------------------------+----------+--------+------------------|
    | 1.0      | Initial public release.   | ?        | Final  | 2018-October-03  |
    +-----------------------------------------------------------------------------+

Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7WlPmaOgq3Tt24GAQg/xA/9GYJ7ToY1+3z8XS8JyCOkunE0ackmsH0h
XcJu0TlS/MZ5qLqwneClU4n77EvG6+Hc+K6xjznOmwHGFtsg50GO26XX/PyAaRzm
IC5OitZuY9d20x1am4KJQXb0WpuhmE0Q/d/ru2JWMIyCFxJLT3AYEidqCmANgS6y
Myl9APopOOj8tQsCdIQ/Jlz21yc9J9WcOsqPpi63p6g5uXhVtr/csV3DI/dd2NVL
gAaHwIesjqbb5LF35NTm6C0uwYEbOiUlYLe8YJi1gRAQGyE8B1Tz0syod2wHzeRR
byNu2xzv2bwFwU+kY2HYvENma7+5b9IhuKhui+PATMuX17fuEHoX+mA2f1+5JNVl
1XmXwt5nUVCKSPrHta737gFRSdHPB8lGl/ef7mzXn8C3pT+tLuftXT9eai8zhIc9
f1q/5T011LylqFUx6LjLAX0YGkKNHoytnImx4YOcsosnvNBiZ8m493HgIO5taXIA
NvrUwoy+Ck39JSGfhjthnQl1eo8LL7tC5Xo7BAiMV49ulH1NE1rge8cDHHxCuxOt
YJcHT1d4Jk5algVzOvhwGmDF3yV5BcZM4xWOa8pWGGe3E3kpn+BXrNmJRytSiojH
GtUFEoM00IlvD81o+4y5cVUWImp3xfF4AnleJv9LjCv4KT4GJEmD2o/3P2hXoj1O
L0YO9ZXtnXQ=
=wC5g
-----END PGP SIGNATURE-----

« Back to bulletins