IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Remote code execution flaw found in Cisco WebEx

Researchers say exploiting the flaw is easier than checking a system for it

Security researchers have discovered a flaw in WebEx's WebexUpdateService that allows anyone with a login to the Windows system where Cisco's client software is installed to run system-level code remotely.

The vulnerability is "pretty unique" as it is "a remote vulnerability in a client application that doesn't even listen on a port", according to a blog post by Ron Bowes and Jeff McJunkin of Counter Hack.

When the WebEx client is installed on a system, a Windows service called WebExService is also installed that can execute commands with system-level privilege.

According to a website detailing the hack, due to poorly handled access control lists (ACLs), any local or domain user can start this service over Windows' remote service interface, except those running the client on Windows 10 (which requires an admin login).

"As far as we know, a remote attack against a 3rd party Windows service is a novel type of attack. We're calling the class "thank you for your service", because we can, and are crossing our fingers that more are out there!" Bowes said.

Bowes said that exploiting the vulnerability is "actually easier than checking for it".

"The patched version of WebEx still allows remote users to connect to the process and start it," he explained. "However, if the process detects that it's being asked to run an executable that is not signed by Webex, the execution will halt."

In an advisory, Cisco said the vulnerability is due to insufficient validation of user-supplied parameters. "An attacker could exploit this vulnerability by invoking the update service command with a crafted argument," said the advisory.

Bowes said that WebEx released a patch on 3 October and that users should make sure they're running this new client version.

"The good news is, the patched version of this service will only run files that are signed by WebEx. The bad news is, there are a lot of those out there (including the vulnerable version of the service!), and the service can still be started remotely," he said.

The Cisco advisory said that users could determine whether a vulnerable version of Cisco Webex Meetings Desktop App is installed on a Windows machine by launching the Cisco Webex Meetings application and clicking the gear icon in the top right of the application window, then selecting the About... menu entry. A popup window displaying the currently installed version will open.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022