Cisco Patches Remote Code Execution Flaws in Webex Player

Cisco has released patches to address more than a dozen vulnerabilities across various products, including two code execution bugs in Webex Player that could be exploited remotely. 

Tracked as CVE-2020-3127 and CVE-2020-3128 and rated high severity (CVSS score 7.8), the issues reside in the insufficient validation of elements within a Webex recording stored as ARF (Advanced Recording Format) or WRF (Webex Recording Format).

To exploit the bugs, an attacker needs to send a malicious ARF or WRF file and trick the victim into opening the file the local system, which could result in arbitrary code being executed with the privileges of the targeted user.

The flaws impact Webex Meetings (Webex Network Recording Player and Webex Player versions prior to WBS 39.5.17 or WBS 39.11.0), Webex Meetings Online (Webex Network Recording Player and Webex Player releases earlier than 1.3.49), and Webex Meetings Server (Webex Network Recording Player releases earlier than 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2). 

Cisco says there are no workarounds to mitigate these flaws, but security updates to address them have been released. The company is not aware of exploitation attempts targeting the bugs. 

Today, the company also released an advisory for a high risk flaw in the SSL implementation of the Intelligent Proximity solution. Tracked as CVE-2020-3155 (CVSS score 7.4), the issue could be exploited remotely to view or alter information shared on Webex video devices and Cisco collaboration endpoints. 

The bug exists due to the lack of validation of the SSL server certificate received when connecting to a Webex video device or a Cisco collaboration endpoint. A man in the middle (MITM) attacker could intercept the traffic between the client and an endpoint, and view presentations or modify content sent to the victim. 

Cisco products impacted by the bug include Intelligent Proximity application, Jabber, Webex Meetings, Webex Teams, and Meeting App and no software updates are available to address the issue. As mitigation, Cisco encourages disabling the Proximity pairing feature (it cannot be disabled in the Meeting App). 

A third high severity flaw addressed today impacts the web-based interface of Prime Network Registrar (CPNR) and could allow a remote attacker to launch a cross-site request forgery (CSRF) attack without authentication. Tracked as CVE-2020-3148, the bug features a CVSS score of 7.1.

An attacker able to successfully exploit the bug could change device configuration to, among others, edit or create user accounts of any privilege level. Cisco has released patches to address the vulnerability. 

Today, the company also published advisories for nine medium severity vulnerabilities that could lead to information disclosure, cross-site scripting (XSS), command execution, denial of service, or resource exhaustion. 

The bugs impact Webex Meetings Client for MacOS, TelePresence Management Suite, Remote PHY Device Software, Prime Collaboration Provisioning, Identity Services Engine (ISE), IOS XR Software, AsyncOS Software for Email Security Appliances (ESAs), and ESA, Web Security Appliance (WSA), and Content Security Management Appliance (SMA).

Cisco says it is not aware of exploitation attempts targeting the bugs. The company has published details on these vulnerabilities on its support website.