Cisco has released patches to address more than a dozen vulnerabilities across various products, including two code execution bugs in Webex Player that could be exploited remotely.
Tracked as CVE-2020-3127 and CVE-2020-3128 and rated high severity (CVSS score 7.8), the issues reside in the insufficient validation of elements within a Webex recording stored as ARF (Advanced Recording Format) or WRF (Webex Recording Format).
To exploit the bugs, an attacker needs to send a malicious ARF or WRF file and trick the victim into opening the file the local system, which could result in arbitrary code being executed with the privileges of the targeted user.
The flaws impact Webex Meetings (Webex Network Recording Player and Webex Player versions prior to WBS 39.5.17 or WBS 39.11.0), Webex Meetings Online (Webex Network Recording Player and Webex Player releases earlier than 1.3.49), and Webex Meetings Server (Webex Network Recording Player releases earlier than 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2).
Cisco says there are no workarounds to mitigate these flaws, but security updates to address them have been released. The company is not aware of exploitation attempts targeting the bugs.
Today, the company also released an advisory for a high risk flaw in the SSL implementation of the Intelligent Proximity solution. Tracked as CVE-2020-3155 (CVSS score 7.4), the issue could be exploited remotely to view or alter information shared on Webex video devices and Cisco collaboration endpoints.
The bug exists due to the lack of validation of the SSL server certificate received when connecting to a Webex video device or a Cisco collaboration endpoint. A man in the middle (MITM) attacker could intercept the traffic between the client and an endpoint, and view presentations or modify content sent to the victim.
Cisco products impacted by the bug include Intelligent Proximity application, Jabber, Webex Meetings, Webex Teams, and Meeting App and no software updates are available to address the issue. As mitigation, Cisco encourages disabling the Proximity pairing feature (it cannot be disabled in the Meeting App).
A third high severity flaw addressed today impacts the web-based interface of Prime Network Registrar (CPNR) and could allow a remote attacker to launch a cross-site request forgery (CSRF) attack without authentication. Tracked as CVE-2020-3148, the bug features a CVSS score of 7.1.
An attacker able to successfully exploit the bug could change device configuration to, among others, edit or create user accounts of any privilege level. Cisco has released patches to address the vulnerability.
Today, the company also published advisories for nine medium severity vulnerabilities that could lead to information disclosure, cross-site scripting (XSS), command execution, denial of service, or resource exhaustion.
The bugs impact Webex Meetings Client for MacOS, TelePresence Management Suite, Remote PHY Device Software, Prime Collaboration Provisioning, Identity Services Engine (ISE), IOS XR Software, AsyncOS Software for Email Security Appliances (ESAs), and ESA, Web Security Appliance (WSA), and Content Security Management Appliance (SMA).
Cisco says it is not aware of exploitation attempts targeting the bugs. The company has published details on these vulnerabilities on its support website.

More from Ionut Arghire
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
- Dozens of Malicious Extensions Found in Chrome Web Store
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
Latest News
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
