Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.2661
Multiple vulnerabilities have been identified in Cisco Webex Products
7 September 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Webex Meetings Client for Windows
Cisco Webex Player
Cisco Webex Teams
Publisher: Cisco Systems
Operating System: Cisco
Windows
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-0457 CVE-2018-0436 CVE-2018-0422
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod
Comment: This bulletin contains three (3) Cisco Systems security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Security
Cisco Webex Meetings Client for Windows Privilege Escalation Vulnerability
Priority: High
Advisory ID: cisco-sa-20180905-webex-pe
First Published: 2018 September 5 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvh89155, CSCvh89157, CSCvh89158
CVE-2018-0422
CWE-264
CVSS Score: Base 7.3
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
A vulnerability in the folder permissions of Cisco Webex Meetings client
for Windows could allow an authenticated, local attacker to modify locally
stored files and execute code on a targeted device with the privilege level
of the user.
The vulnerability is due to folder permissions that grant a user the
permission to read, write, and execute files in the Webex folders. An
attacker could exploit this vulnerability to write malicious files to the
Webex client directory, affecting all other users of the targeted device. A
successful exploit could allow a user to execute commands with elevated
privileges.
Attacks on single-user systems are less likely to occur, as the attack must
be carried out by the user on the user's own system. Multiuser systems have
a higher risk of exploitation because folder permissions have an impact on
all users of the device. For an attacker to exploit this vulnerability
successfully, a second user must execute the locally installed malicious
file to allow remote code execution to occur.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe
Affected Products
Vulnerable Products
This vulnerability affects client applications installed from the following
Cisco Webex Meetings products when running on Microsoft Windows end-user
systems:
+ Cisco Webex Meetings Suite (WBS31)
+ Cisco Webex Meetings Suite (WBS32)
+ Cisco Webex Meetings Suite (WBS33)
+ Cisco Webex Meetings
+ Cisco Webex Meetings Server
To determine whether a Cisco Webex meeting site is running an affected
version of the Webex software, users can log in to their Cisco Webex
meeting site and go to Support > Downloads. The version of the Webex
software will be displayed on the right side of the page under About
Meeting Center. See the Fixed Software section of this advisory for
details.
Alternatively, version information for the Cisco Webex meeting client can
be accessed directly in the client. Version information for the Cisco Webex
meeting client on Windows platforms can be viewed by choosing Help > About
Cisco Webex Meeting Center.
Note: Customers who do not receive automatic software updates may be
running versions of Cisco Webex Meetings that have reached end of software
maintenance and should contact the Cisco TAC (Technical Assistance Center).
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Webex
Meetings client applications running on Mac OS X and Linux operating
systems.
Workarounds
There are no workarounds that address this vulnerability.
Fixed Software
Cisco will release free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco has released new desktop applications to remediate this
vulnerability. Users must have the new desktop applications installed to
remediate the vulnerability.
Users can obtain the installable MSI from their upgraded site. For WBS33,
the applications are automatically delivered and installed automatically
when administrative users attend a meeting on a WBS33 site.
Users without administrative rights will not be able to install the update
automatically and will require administrators to install the application
installable MSI on their desktops.
Due to customers? lock down status of WBS 32, users or IT administrators
must install the desktop applications manually.
Users or IT administrators can contact the Cisco TAC to obtain the desktop
applications? installable MSI prior to their site?s upgrade.
Customers? sites are being upgraded to make this desktop application
available to users according to the following schedule:
Webex First Fixed Availability
Major Release
Release
Cisco
Webex Cisco will not release a new desktop application for
Meetings N/A WBS31 releases. Customers must upgrade to WBS32 or WBS33
Suite and install the appropriate update.
(WBS31)
Released
See WBS 32.15.20 availability on your site based on your
Cisco cluster schedule: https://status.webex.com/#/maintenance
Webex /calendar
Meetings WBS32.15.20
Suite End users or IT administrators must install new desktop
(WBS32) applications manually to remediate the vulnerability.
Contact the Cisco TAC to obtain desktop applications?
installable MSI prior to availability on your site.
Released
See WBS33.4 availability on your site based on your
cluster schedule: https://status.webex.com/#/maintenance
/calendar
Users with administrative rights on their desktops will
automatically receive a Windows User Account Control
(UAC) pop-up window after they join or start a meeting
on an updated WBS33.4 site. Users must accept this UAC
request to remediate the vulnerability.
Cisco
Webex Users without administrative rights will not be able to
Meetings WBS33.4 install the update automatically and will require
Suite administrators to install the application installable
(WBS33) MSI on their desktops.
Contact the Cisco TAC to obtain the desktop
applications? installable MSI prior to availability on
your site.
Note that the WBS33.4 installable MSI installs the new
Webex Desktop application, which includes the new
Outlook plug-in and replaces the older Productivity
Tools. Although replacement of Productivity Tools with
the new desktop application is highly recommended,
please contact the Cisco TAC if this replacement is not
desired.
Available beginning September 14, 2018
Cisco
Webex 1.3.37 Contact the Cisco TAC to obtain the desktop
Meetings applications? installable MSI prior to availability on
the site.
Released
Cisco
Webex The software is available for download from the Software
Meetings 3.0MR2 Center on Cisco.com by clicking Browse all and
Server navigating to Conferencing > Web Conferencing > Webex
Meetings Server > Webex Meetings Server 3.0 or via
direct link.
Fixed software will be available on customers? sites based on the release
update schedule. Customers will receive a separate communication with the
update schedule for their site. Customers can also contact the Cisco TAC to
determine their site?s update schedule.
To determine whether a meeting site has an updated version of the Cisco
Webex software, users can sign in to their Cisco Webex Meetings site and go
to the Support > Downloads section. The version is displayed on the right
side of the page under About Webex Meetings.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware of
public announcements of the vulnerability. However, there has been no
indication of malicious use of the vulnerability that is described in this
advisory.
Source
Cisco would like to thank Simon Zuckerbraun, working with Trend Micro's
Zero Day Initiative (ZDI), for reporting this vulnerability.
Cisco would also like to thank Ben Cheney from DXC Technology for
independently reporting this vulnerability.
Cisco Security Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
Subscribe
URL
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | | Final | 2018-September-05 |
+----------------------------------------------------------------------------+
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco Webex Player WRF Files Denial of Service Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20180905-webex-player-dos
First Published: 2018 September 5 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi36518, CSCvi36549
CVE-2018-0457
CWE-399
CVSS Score: Base 5.5
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
A vulnerability in the Cisco Webex Player for Webex Recording Format (WRF)
files could allow an unauthenticated, remote attacker to cause a denial of
service (DoS) condition.
An attacker could exploit this vulnerability by sending a user a link or
email attachment with a malicious WRF file and persuading the user to open
the file in the Cisco Webex Player. A successful exploit could cause the
affected player to crash, resulting in a DoS condition.
For more information about this vulnerability, see the Details section of
this security advisory.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos
Affected Products
* Vulnerable Products
This vulnerability affects the Cisco Webex Player that is available from
Cisco Webex Meetings Suite sites. For information about affected software
releases, consult the Cisco bug ID(s) at the top of this advisory.
To determine which version of the Cisco Webex Player is installed, users
can open the player and choose About from the Help menu.
Note: Customers who do not receive automatic software updates may be
running versions of Cisco Webex Meetings that have reached end-of-software
maintenance and should contact customer support.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Details
* Cisco Webex Meetings Suite services are hosted multimedia conferencing
solutions that are managed and maintained by Cisco Webex. The Cisco Webex
Player is an application that is used to play back Webex meetings that have
been recorded in WRF format by an online meeting attendee. The Cisco Webex
Player can be installed only manually from the Cisco Webex site.
The Cisco Webex Player for WRF files is available only for Cisco Webex
Meetings Suite (WBS31, WBS32, and WBS33) and Cisco Webex Meetings. The
affected player is not available for Cisco Webex Meetings Server.
Windows, Mac OS X, and Linux versions of the Cisco Webex Player are
affected by the vulnerability described in this advisory.
Workarounds
* There are no workarounds that address this vulnerability. However, it is
possible to remove the affected Cisco Webex Player by following the
software-removal procedure for the operating system. For example, in
Windows, use Programs and Features to uninstall the affected players.
To remove Cisco Webex software from a system completely, use the Meeting
Services Removal Tool (for Microsoft Windows users) or the Mac Webex
Meeting Application Uninstaller (for Apple Mac OS X users), which are
available for download from the Cisco Collaboration Help article Cisco
WebEx and 3rd Party Support Utilities.
To remove Cisco Webex software from a Linux or UNIX-based system, follow
the steps in the Cisco Collaboration Help article How Do I Uninstall WebEx
Software on a Linux or Unix Based System?
Fixed Software
* For information about fixed software releases, consult the Cisco bug ID(s)
at the top of this advisory.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* Cisco would like to thank Liu Yongjun for reporting this vulnerability.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | ? | Final | 2018-September-05 |
+----------------------------------------------------------------------------+
- -------------------------------------------------------------------------------
Cisco Security Advisory
Cisco Webex Teams Information Disclosure and Modification Vulnerability
Priority: High
Advisory ID: cisco-sa-20180905-webex-id-mod
First Published: 2018 September 5 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvi68464
CVE-2018-0436
CWE-284
CVSS Score: Base 8.7
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:X/RL:X/RC:X
Summary
* A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an
authenticated, remote attacker to view and modify data for an organization
other than their own organization.
The vulnerability exists because the affected software performs
insufficient checks for associations between user accounts and organization
accounts. An attacker who has administrator or compliance officer
privileges for one organization account could exploit this vulnerability by
using those privileges to view and modify data for another organization
account.
No customer data was impacted by this vulnerability.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20180905-webex-id-mod
Affected Products
* Vulnerable Products
This vulnerability affects all versions of Cisco Webex Teams prior to
Version 20180417-150803.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
* There are no workarounds that address this vulnerability.
Fixed Software
* Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco Webex Teams Versions
20180417-150803 and later.
Customers are advised to upgrade to the latest version of Cisco Webex
Teams.
Exploitation and Public Announcements
* The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
* This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
* Subscribe
URL
* https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod
Revision History
+----------------------------------------------------------------------------+
| Version | Description | Section | Status | Date |
|---------+--------------------------+---------+--------+--------------------|
| 1.0 | Initial public release. | ? | Final | 2018-September-05 |
+----------------------------------------------------------------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW5HT22aOgq3Tt24GAQgTOQ//ZVEULD3cZTlFAqkEQaSvQ0z9/Oi2hjDm
GOP14KEmZcBjbARVDsgYTPkLNcqOkxjIenmG5W6/H2pTywCu+64SnxUmebhOpTI9
bJyW+5YSgMzeNhb6Yf54OFmAoDAGQ00L5yXPMettR/XBmGC1E2PX9EnLDoDODEQQ
MiADZgAuBTJGMXC70+gMjaqCOETOcx1plesGr0tPo4WvQDSAx68WsO129+IGIZoc
jCNC5lsvo+yvzEoUu/C++5h9n9/p0X5boHLSAMj+KIWt62YYgT3475JQR5Bg1UvD
QLNwhupeg5k6mdZVCQZRTQOBeYX6TYWIQCXlATHxhqaMUQP+oz++RYEcJPX25fwa
eDGQQ3aMlfbikix9T7iheaWyebXXc7UPYuJHufuoHf93u/nkGwbhzGLh/ChO1a9I
Fe72cL2/r53/0SB+sg3B6yHJ9x96eCjjWSXCmUay93rpGTlZIascFPCXCoYuRf8h
Cm4kT1PjuOY0J9GulcF/6RmSigke8v4+eDjZYytVoBL9Az8R/4VQyRlYK6TRacVG
tuTCMnk/S6PCUVgnjxbAxcTKgvBTdR5UriwVRYwj4Vai12TATkAIFQTARBuJ1iRc
taClxeIBD/rBNNDla8qLGxZcnO3v6gF+iOpszbbvUe6oJjuGnpmrHOFbpQjhozfV
Ch334T8Zlz8=
=3QfF
-----END PGP SIGNATURE-----