Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2661 Multiple vulnerabilities have been identified in Cisco Webex Products 7 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Webex Meetings Client for Windows Cisco Webex Player Cisco Webex Teams Publisher: Cisco Systems Operating System: Cisco Windows Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-0457 CVE-2018-0436 CVE-2018-0422 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod Comment: This bulletin contains three (3) Cisco Systems security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Security Cisco Webex Meetings Client for Windows Privilege Escalation Vulnerability Priority: High Advisory ID: cisco-sa-20180905-webex-pe First Published: 2018 September 5 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvh89155, CSCvh89157, CSCvh89158 CVE-2018-0422 CWE-264 CVSS Score: Base 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated, local attacker to modify locally stored files and execute code on a targeted device with the privilege level of the user. The vulnerability is due to folder permissions that grant a user the permission to read, write, and execute files in the Webex folders. An attacker could exploit this vulnerability to write malicious files to the Webex client directory, affecting all other users of the targeted device. A successful exploit could allow a user to execute commands with elevated privileges. Attacks on single-user systems are less likely to occur, as the attack must be carried out by the user on the user's own system. Multiuser systems have a higher risk of exploitation because folder permissions have an impact on all users of the device. For an attacker to exploit this vulnerability successfully, a second user must execute the locally installed malicious file to allow remote code execution to occur. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe Affected Products Vulnerable Products This vulnerability affects client applications installed from the following Cisco Webex Meetings products when running on Microsoft Windows end-user systems: + Cisco Webex Meetings Suite (WBS31) + Cisco Webex Meetings Suite (WBS32) + Cisco Webex Meetings Suite (WBS33) + Cisco Webex Meetings + Cisco Webex Meetings Server To determine whether a Cisco Webex meeting site is running an affected version of the Webex software, users can log in to their Cisco Webex meeting site and go to Support > Downloads. The version of the Webex software will be displayed on the right side of the page under About Meeting Center. See the Fixed Software section of this advisory for details. Alternatively, version information for the Cisco Webex meeting client can be accessed directly in the client. Version information for the Cisco Webex meeting client on Windows platforms can be viewed by choosing Help > About Cisco Webex Meeting Center. Note: Customers who do not receive automatic software updates may be running versions of Cisco Webex Meetings that have reached end of software maintenance and should contact the Cisco TAC (Technical Assistance Center). Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco Webex Meetings client applications running on Mac OS X and Linux operating systems. Workarounds There are no workarounds that address this vulnerability. Fixed Software Cisco will release free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco has released new desktop applications to remediate this vulnerability. Users must have the new desktop applications installed to remediate the vulnerability. Users can obtain the installable MSI from their upgraded site. For WBS33, the applications are automatically delivered and installed automatically when administrative users attend a meeting on a WBS33 site. Users without administrative rights will not be able to install the update automatically and will require administrators to install the application installable MSI on their desktops. Due to customers? lock down status of WBS 32, users or IT administrators must install the desktop applications manually. Users or IT administrators can contact the Cisco TAC to obtain the desktop applications? installable MSI prior to their site?s upgrade. Customers? sites are being upgraded to make this desktop application available to users according to the following schedule: Webex First Fixed Availability Major Release Release Cisco Webex Cisco will not release a new desktop application for Meetings N/A WBS31 releases. Customers must upgrade to WBS32 or WBS33 Suite and install the appropriate update. (WBS31) Released See WBS 32.15.20 availability on your site based on your Cisco cluster schedule: https://status.webex.com/#/maintenance Webex /calendar Meetings WBS32.15.20 Suite End users or IT administrators must install new desktop (WBS32) applications manually to remediate the vulnerability. Contact the Cisco TAC to obtain desktop applications? installable MSI prior to availability on your site. Released See WBS33.4 availability on your site based on your cluster schedule: https://status.webex.com/#/maintenance /calendar Users with administrative rights on their desktops will automatically receive a Windows User Account Control (UAC) pop-up window after they join or start a meeting on an updated WBS33.4 site. Users must accept this UAC request to remediate the vulnerability. Cisco Webex Users without administrative rights will not be able to Meetings WBS33.4 install the update automatically and will require Suite administrators to install the application installable (WBS33) MSI on their desktops. Contact the Cisco TAC to obtain the desktop applications? installable MSI prior to availability on your site. Note that the WBS33.4 installable MSI installs the new Webex Desktop application, which includes the new Outlook plug-in and replaces the older Productivity Tools. Although replacement of Productivity Tools with the new desktop application is highly recommended, please contact the Cisco TAC if this replacement is not desired. Available beginning September 14, 2018 Cisco Webex 1.3.37 Contact the Cisco TAC to obtain the desktop Meetings applications? installable MSI prior to availability on the site. Released Cisco Webex The software is available for download from the Software Meetings 3.0MR2 Center on Cisco.com by clicking Browse all and Server navigating to Conferencing > Web Conferencing > Webex Meetings Server > Webex Meetings Server 3.0 or via direct link. Fixed software will be available on customers? sites based on the release update schedule. Customers will receive a separate communication with the update schedule for their site. Customers can also contact the Cisco TAC to determine their site?s update schedule. To determine whether a meeting site has an updated version of the Cisco Webex software, users can sign in to their Cisco Webex Meetings site and go to the Support > Downloads section. The version is displayed on the right side of the page under About Webex Meetings. Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements of the vulnerability. However, there has been no indication of malicious use of the vulnerability that is described in this advisory. Source Cisco would like to thank Simon Zuckerbraun, working with Trend Micro's Zero Day Initiative (ZDI), for reporting this vulnerability. Cisco would also like to thank Ben Cheney from DXC Technology for independently reporting this vulnerability. Cisco Security Vulnerability Policy To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications Subscribe URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-pe Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | | Final | 2018-September-05 | +----------------------------------------------------------------------------+ - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco Webex Player WRF Files Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-20180905-webex-player-dos First Published: 2018 September 5 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi36518, CSCvi36549 CVE-2018-0457 CWE-399 CVSS Score: Base 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X Summary A vulnerability in the Cisco Webex Player for Webex Recording Format (WRF) files could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a user a link or email attachment with a malicious WRF file and persuading the user to open the file in the Cisco Webex Player. A successful exploit could cause the affected player to crash, resulting in a DoS condition. For more information about this vulnerability, see the Details section of this security advisory. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos Affected Products * Vulnerable Products This vulnerability affects the Cisco Webex Player that is available from Cisco Webex Meetings Suite sites. For information about affected software releases, consult the Cisco bug ID(s) at the top of this advisory. To determine which version of the Cisco Webex Player is installed, users can open the player and choose About from the Help menu. Note: Customers who do not receive automatic software updates may be running versions of Cisco Webex Meetings that have reached end-of-software maintenance and should contact customer support. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Details * Cisco Webex Meetings Suite services are hosted multimedia conferencing solutions that are managed and maintained by Cisco Webex. The Cisco Webex Player is an application that is used to play back Webex meetings that have been recorded in WRF format by an online meeting attendee. The Cisco Webex Player can be installed only manually from the Cisco Webex site. The Cisco Webex Player for WRF files is available only for Cisco Webex Meetings Suite (WBS31, WBS32, and WBS33) and Cisco Webex Meetings. The affected player is not available for Cisco Webex Meetings Server. Windows, Mac OS X, and Linux versions of the Cisco Webex Player are affected by the vulnerability described in this advisory. Workarounds * There are no workarounds that address this vulnerability. However, it is possible to remove the affected Cisco Webex Player by following the software-removal procedure for the operating system. For example, in Windows, use Programs and Features to uninstall the affected players. To remove Cisco Webex software from a system completely, use the Meeting Services Removal Tool (for Microsoft Windows users) or the Mac Webex Meeting Application Uninstaller (for Apple Mac OS X users), which are available for download from the Cisco Collaboration Help article Cisco WebEx and 3rd Party Support Utilities. To remove Cisco Webex software from a Linux or UNIX-based system, follow the steps in the Cisco Collaboration Help article How Do I Uninstall WebEx Software on a Linux or Unix Based System? Fixed Software * For information about fixed software releases, consult the Cisco bug ID(s) at the top of this advisory. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * Cisco would like to thank Liu Yongjun for reporting this vulnerability. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-player-dos Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | ? | Final | 2018-September-05 | +----------------------------------------------------------------------------+ - ------------------------------------------------------------------------------- Cisco Security Advisory Cisco Webex Teams Information Disclosure and Modification Vulnerability Priority: High Advisory ID: cisco-sa-20180905-webex-id-mod First Published: 2018 September 5 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvi68464 CVE-2018-0436 CWE-284 CVSS Score: Base 8.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:X/RL:X/RC:X Summary * A vulnerability in Cisco Webex Teams, formerly Cisco Spark, could allow an authenticated, remote attacker to view and modify data for an organization other than their own organization. The vulnerability exists because the affected software performs insufficient checks for associations between user accounts and organization accounts. An attacker who has administrator or compliance officer privileges for one organization account could exploit this vulnerability by using those privileges to view and modify data for another organization account. No customer data was impacted by this vulnerability. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20180905-webex-id-mod Affected Products * Vulnerable Products This vulnerability affects all versions of Cisco Webex Teams prior to Version 20180417-150803. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds * There are no workarounds that address this vulnerability. Fixed Software * Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in Cisco Webex Teams Versions 20180417-150803 and later. Customers are advised to upgrade to the latest version of Cisco Webex Teams. Exploitation and Public Announcements * The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source * This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy * To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications * Subscribe URL * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-webex-id-mod Revision History +----------------------------------------------------------------------------+ | Version | Description | Section | Status | Date | |---------+--------------------------+---------+--------+--------------------| | 1.0 | Initial public release. | ? | Final | 2018-September-05 | +----------------------------------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW5HT22aOgq3Tt24GAQgTOQ//ZVEULD3cZTlFAqkEQaSvQ0z9/Oi2hjDm GOP14KEmZcBjbARVDsgYTPkLNcqOkxjIenmG5W6/H2pTywCu+64SnxUmebhOpTI9 bJyW+5YSgMzeNhb6Yf54OFmAoDAGQ00L5yXPMettR/XBmGC1E2PX9EnLDoDODEQQ MiADZgAuBTJGMXC70+gMjaqCOETOcx1plesGr0tPo4WvQDSAx68WsO129+IGIZoc jCNC5lsvo+yvzEoUu/C++5h9n9/p0X5boHLSAMj+KIWt62YYgT3475JQR5Bg1UvD QLNwhupeg5k6mdZVCQZRTQOBeYX6TYWIQCXlATHxhqaMUQP+oz++RYEcJPX25fwa eDGQQ3aMlfbikix9T7iheaWyebXXc7UPYuJHufuoHf93u/nkGwbhzGLh/ChO1a9I Fe72cL2/r53/0SB+sg3B6yHJ9x96eCjjWSXCmUay93rpGTlZIascFPCXCoYuRf8h Cm4kT1PjuOY0J9GulcF/6RmSigke8v4+eDjZYytVoBL9Az8R/4VQyRlYK6TRacVG tuTCMnk/S6PCUVgnjxbAxcTKgvBTdR5UriwVRYwj4Vai12TATkAIFQTARBuJ1iRc taClxeIBD/rBNNDla8qLGxZcnO3v6gF+iOpszbbvUe6oJjuGnpmrHOFbpQjhozfV Ch334T8Zlz8= =3QfF -----END PGP SIGNATURE-----