Cisco today released security updates to address two high severity vulnerabilities found in the Cisco Webex Meetings Desktop App for Windows and macOS that could allow unprivileged attackers to run programs and code on vulnerable machines.
Cisco Webex Meetings is an online meeting and video conferencing software that makes it easy to schedule and join meetings. The platform also provides presentation, screen sharing, and recording capabilities.
The two vulnerabilities are tracked as CVE-2020-3263 and CVE-2020-3342, and they affect Cisco Webex Meetings Desktop App releases earlier than 39.5.12 and lockdown versions of Cisco Webex Meetings Desktop App for Mac earlier than 39.5.11, respectively.
Remotely execute programs on Windows systems
The arbitrary program execution security flaw affecting the Windows client is caused by the improper input validation of URLs supplied to impacted Cisco Webex Meetings Desktop App versions.
CVE-2020-3263 could enable unauthenticated, remote attackers to execute programs on systems running an unpatched Cisco Webex Meetings Desktop App release. An attacker can exploit this vulnerability by tricking the target to click on a malicious URL.
“A successful exploit could allow the attacker to cause the application to execute other programs that are already present on the end-user system,” Cisco’s advisory reads.
“If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system.”
Execute arbitrary code remotely on Macs
The remote code execution vulnerability found in the macOS client is due to improper certificate validation on software update files downloaded by affected Cisco Webex Meetings Desktop App for Mac releases.
CVE-2020-3342 could make it possible for unauthenticated attackers to remotely execute arbitrary code with the privileges of the user logged on Macs running unpatched versions of Cisco Webex Meetings Desktop App for Mac.
“An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website,” Cisco explains.
“The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update.”
Workaround and mitigation
While there are no known workarounds that address these two vulnerabilities, Cisco has released free software updates to patch the flaws.
Cisco’s Product Security Incident Response Team (PSIRT) was not aware of any public reports or malicious use of these vulnerabilities when the advisories were published.
Cisco fixed CVE-2020-3263 in Cisco Webex Meetings Desktop App releases 40.1.0 and later (in releases 39.5.12 and later for lockdown versions).
CVE-2020-3342 was fixed in Cisco Webex Meetings Desktop App for Mac releases 39.5.11 and later for lockdown versions.
Windows and macOS users can update the Cisco Webex Meetings Desktop App using the instructions in the Update the Cisco Webex Meetings Desktop App help center article.
Admins can update the two apps for their entire user bases by following the detailed instructions available in the IT Administrator Guide for Mass Deployment of the Cisco Webex Meetings Desktop App.
This is not the first time vulnerabilities were found and patched in Cisco’s WebEx online video collaboration software.
Last year, Cisco also patched a privilege escalation security issue found in the update service of the Cisco Webex Meetings Desktop App for Windows that could have allowed unauthenticated local attackers to elevate privileges and run arbitrary commands with SYSTEM user privileges.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.