Security Experts:

Cisco Patches Remote Command Execution in Webex Teams Client

Cisco this week addressed a High severity vulnerability in the Webex Teams client for Windows that could allow an attacker to execute commands remotely.

The issue is created “due to improper restrictions on software logging features used by the application on Windows operating systems.”

To exploit the vulnerability, an attacker would need to convince the user to visit a website specifically designed to submit malicious input to the affected application. Successful exploitation could result in the application modifying files and executing arbitrary commands on the system.

The bug was found to impact all Cisco Webex Teams for Windows releases prior to version 3.0.12427.0.

A second High severity bug that Cisco addressed this week was an information disclosure in the “plug-and-play” services component of Industrial Network Director (IND).

The vulnerability, Cisco says, is due to “improper access restrictions on the web-based management interface.”

An attacker looking to exploit the vulnerability would need to send a crafted HTTP request to an affected device. Successful exploitation could result in the attacker accessing running configuration information about devices managed by the IND, including administrative credentials.

Also this week, Cisco released patches for a series of Medium severity issues impacting Unified Contact Center Express (Unified CCX), Content Security Management Appliance (SMA), Jabber Client Framework (JCF) for Mac software, Identity Services Engine (ISE) software, and Finesse.

An attacker targeting these bugs could bypass access controls and conduct server-side request forgery (SSRF) attacks, gain out-of-scope access to email, execute arbitrary code, conduct cross-site scripting (XSS) attacks, or conduct SSRF attacks, respectively.

Cisco also published an advisory on multiple vulnerabilities impacting Cisco Small Business RV160, 260, and 340 Series VPN routers. The issues were discovered by SEC Consult, which published their own advisory.

The bugs include hardcoded credentials, undocumented user accounts (debug-admin and root accounts), known GNU glibc vulnerabilities, known BusyBox vulnerabilities, and unneeded software packages.

The issues were found to impact RV160 Series VPN Routers: 1.0.00.15 and earlier; RV260 Series VPN Routers: 1.0.00.15 and earlier; and RV340 Series Dual WAN Gigabit VPN Routers: 1.0.02.16 and earlier.

Cisco has already released software updates to address all of these bugs. The company also says it is not aware of any public announcements or malicious use of these vulnerabilities. Cisco published details on all of these bugs on its support website.

Related: Cisco Patches Critical Flaws in Network Switches

Related: Critical Flaws Found in Cisco Data Center Network Manager

view counter