Connect with us

Hi, what are you looking for?


Network Security

Cisco Fixes Severe Flaws in WebEx, Small Business Products

Cisco informed customers on Wednesday that it has released software and firmware updates for some of its products in an effort to address several vulnerabilities rated as having critical, high and medium severity.

Cisco informed customers on Wednesday that it has released software and firmware updates for some of its products in an effort to address several vulnerabilities rated as having critical, high and medium severity.

Francis Provencher, security researcher and founder of the Canadian government agency COSIG, has been credited by Cisco for identifying two vulnerabilities in WebEx Meetings Player.

The more serious of the flaws, rated critical, is CVE-2016-1464, which allows an unauthenticated attacker to remotely execute arbitrary code by convincing a user to open a specially crafted file with the vulnerable software.

Another vulnerability found by the researcher, classified as having medium severity, allows an unauthenticated attacker to remotely crash the WebEx Meetings Player by getting the victim to open a malicious file.

Both vulnerabilities found by Provencher affect Cisco WebEx Meetings Player version T29.10 for WRF files. Cisco has released updates to address the bugs, but no workarounds are available.

Cisco has also published advisories describing five different vulnerabilities affecting Small Business series switches and IP phones. Four of the issues were reported to the vendor by Nicolas Collignon and Renaud Dubourguais of Synacktiv, and one by security researcher Chris Watts.

The experts discovered that Cisco Small Business 220 Series Smart Plus (Sx220) switches are plagued by a flaw that allows a remote, unauthenticated attacker to gain access to Simple Network Management Protocol (SNMP) objects on vulnerable devices. The security hole, classified as “critical” and tracked as CVE-2016-1473, is caused by the existence of a default SNMP community string that cannot be removed.

Advertisement. Scroll to continue reading.

A different advisory details a high severity denial-of-service (DoS) vulnerability affecting Small Business IP phones, namely the SPA300, SPA500 and SPA51x models. Due to incorrect handling of malformed HTTP traffic, the phones can enter a DoS condition if a remote attacker sends them specially crafted requests. This issue has been assigned the CVE-2016-1469 identifier.

Cisco has also released patches for three medium severity cross-site request forgery (CSRF), cross-site scripting (XSS) and DoS vulnerabilities affecting Small Business 220 Series Smart Plus (Sx220) switches.

The company recently issued updates for its Adaptive Security Appliance (ASA) software to address a serious remote code execution vulnerability leveraged by a zero-day exploit. The existence of the exploit came to light after a threat actor leaked firewall exploits and implants allegedly stolen from an NSA-linked group.

Related: Cisco Patches Critical Flaws in Firepower Management Center

Related: No Patch for Critical RCE Flaw in Cisco Routers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...