Cisco fixes major security flaws in Webex on Windows and Mac
Cisco has addressed two high severity vulnerabilities in its Webex video conferencing software that could have allowed unprivileged attackers to run programs and code on vulnerable systems.
The two vulnerabilities, tracked as CVE-2020-3263 and CVE-2020-3342, affect Cisco Webex Meetings Desktop App releases earlier than version 39.5.12. and all Webex users should update their software to the latest version to avoid falling victim to any potential exploits.
In an advisory concerning the arbitrary program execution flaw affecting Webex’s Windows client, Cisco provided more details on the vulnerability and explained what an attacker could do to a user’s system following a successful exploit, saying:
“The vulnerability is due to improper validation of input that is supplied to application URLs. The attacker could exploit this vulnerability by persuading a user to follow a malicious URL. A successful exploit could allow the attacker to cause the application to execute other programs that are already present on the end-user system. If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system.”
Webex vulnerabilities
Cisco also patched a remote code execution vulnerability in Webex’s Mac client that was caused by improper certificate validation on software update files downloaded by the software.
The vulnerability could allow an unauthenticated attacker to remotely execute arbitrary code with the same privileges of the logged in user on macOS. In a separate advisory, Cisco explained how an attacker could exploit the vulnerability, saying:
“An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update.”
Cisco has since fixed both of these vulnerabilities with the release of version 40.1.0 of Webex for Windows and version 39.5.11 of Webex for Mac. Windows and Mac users can update their Cisco Webex clients by following these instructions while admins can update both versions of the client by following this guide.
Via BleepingComputer