Security Experts:

Cisco Fixes Severe Flaws in WebEx, Small Business Products

Cisco informed customers on Wednesday that it has released software and firmware updates for some of its products in an effort to address several vulnerabilities rated as having critical, high and medium severity.

Francis Provencher, security researcher and founder of the Canadian government agency COSIG, has been credited by Cisco for identifying two vulnerabilities in WebEx Meetings Player.

The more serious of the flaws, rated critical, is CVE-2016-1464, which allows an unauthenticated attacker to remotely execute arbitrary code by convincing a user to open a specially crafted file with the vulnerable software.

Another vulnerability found by the researcher, classified as having medium severity, allows an unauthenticated attacker to remotely crash the WebEx Meetings Player by getting the victim to open a malicious file.

Both vulnerabilities found by Provencher affect Cisco WebEx Meetings Player version T29.10 for WRF files. Cisco has released updates to address the bugs, but no workarounds are available.

Cisco has also published advisories describing five different vulnerabilities affecting Small Business series switches and IP phones. Four of the issues were reported to the vendor by Nicolas Collignon and Renaud Dubourguais of Synacktiv, and one by security researcher Chris Watts.

The experts discovered that Cisco Small Business 220 Series Smart Plus (Sx220) switches are plagued by a flaw that allows a remote, unauthenticated attacker to gain access to Simple Network Management Protocol (SNMP) objects on vulnerable devices. The security hole, classified as “critical” and tracked as CVE-2016-1473, is caused by the existence of a default SNMP community string that cannot be removed.

A different advisory details a high severity denial-of-service (DoS) vulnerability affecting Small Business IP phones, namely the SPA300, SPA500 and SPA51x models. Due to incorrect handling of malformed HTTP traffic, the phones can enter a DoS condition if a remote attacker sends them specially crafted requests. This issue has been assigned the CVE-2016-1469 identifier.

Cisco has also released patches for three medium severity cross-site request forgery (CSRF), cross-site scripting (XSS) and DoS vulnerabilities affecting Small Business 220 Series Smart Plus (Sx220) switches.

The company recently issued updates for its Adaptive Security Appliance (ASA) software to address a serious remote code execution vulnerability leveraged by a zero-day exploit. The existence of the exploit came to light after a threat actor leaked firewall exploits and implants allegedly stolen from an NSA-linked group.

Related: Cisco Patches Critical Flaws in Firepower Management Center

Related: No Patch for Critical RCE Flaw in Cisco Routers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.