Security Vulnerabilities Discovered in Cisco WebEx Conferencing Apps

Boston based Core Security Technologies, a provider of IT security test and measurement software solutions, today issued an advisory disclosing stack overflow vulnerabilities affecting Cisco’s WebEx applications used to conduct Web-based video conferencing. As part of Core Security’s ongoing vulnerability research, Core Security experts have identified two vulnerabilities that can compromise end-user machines and can cause the computers to crash.

Core Security coordinated with Cisco to address the vulnerabilities and provide solutions for WebEx users prior to announcing the vulnerability to the public.

Core Security researchers Federico Muttis, Sebastian Tello and Manuel Muradas teamed to discover two separate vulnerabilities, each affecting a separate Cisco WebEx application. First, the research team manipulated a file created by the Cisco WebEx recorder (carrying the .WRF extension) and played by the WebEx player. A portion of the new file’s execution pointed to a user call instruction and allowed a hacker to execute other functions on the machine.

Second, the research team made a slight change to the XML code within a file that governs polling functionality within Cisco WebEx Meeting Center. The resulting code, when published as a poll during a presentation, crashed the machine and ultimately affected other machines connected to the WebEx meeting, causing the other participants’ machines to crash.

“Sometimes innocent actions, such as opening an email attachment that appears to be a recorded WebEx presentation, can leave a computer vulnerable to hackers,” said Alex Horan, senior product manager at Core Security Technologies. “For this reason, Core Security regularly investigates common applications to make sure they do not present new previously unknown vulnerabilities. In this case, a well-known development concern, stack overflow, is at fault. It demonstrates yet again how companies need to be constantly vigilant in testing their systems for new ways data could be compromised.”

Vulnerability Details

Users are required to install a special player from WebEx to view archived presentations that are executed in WRF format. This player is vulnerable to a stack-based overflow that an attacker may use to control the machine. The WRF bug was found when a CoreLabs researcher employed a well-known fuzzing method by opening a working file and modifying one byte.

As previously discussed, the vulnerability within the WebEx Meeting Center polling functionality was found through an even simpler method, and both vulnerabilities are related to stack overflow errors possible within each application. A stack overflow occurs when a program requests more memory than it has been allotted.

Remediation Recommendations

To remediate the WRF WebEx player vulnerability, Core Security recommends uninstalling the older version and installing the latest version, which is available here.  No remediation is necessary for the WebEx Meeting Center vulnerability, since Cisco has deployed the fix on their servers and WebEx meeting attendees are no longer exposed to the stack overflow issue.

More information on the vulnerability and the systems affected is available here