Remote code execution flaw found in Cisco WebEx

Researchers say exploiting the flaw is easier than checking a system for it

code

Security researchers have discovered a flaw in WebEx's WebexUpdateService that allows anyone with a login to the Windows system where Cisco's client software is installed to run system-level code remotely.

The vulnerability is "pretty unique" as it is "a remote vulnerability in a client application that doesn't even listen on a port", according to a blog post by Ron Bowes and Jeff McJunkin of Counter Hack.

When the WebEx client is installed on a system, a Windows service called WebExService is also installed that can execute commands with system-level privilege.

According to a website detailing the hack, due to poorly handled access control lists (ACLs), any local or domain user can start this service over Windows' remote service interface, except those running the client on Windows 10 (which requires an admin login).

"As far as we know, a remote attack against a 3rd party Windows service is a novel type of attack. We're calling the class "thank you for your service", because we can, and are crossing our fingers that more are out there!" Bowes said.

Bowes said that exploiting the vulnerability is "actually easier than checking for it".

"The patched version of WebEx still allows remote users to connect to the process and start it," he explained. "However, if the process detects that it's being asked to run an executable that is not signed by Webex, the execution will halt."

In an advisory, Cisco said the vulnerability is due to insufficient validation of user-supplied parameters. "An attacker could exploit this vulnerability by invoking the update service command with a crafted argument," said the advisory.

Bowes said that WebEx released a patch on 3 October and that users should make sure they're running this new client version.

"The good news is, the patched version of this service will only run files that are signed by WebEx. The bad news is, there are a lot of those out there (including the vulnerable version of the service!), and the service can still be started remotely," he said.

The Cisco advisory said that users could determine whether a vulnerable version of Cisco Webex Meetings Desktop App is installed on a Windows machine by launching the Cisco Webex Meetings application and clicking the gear icon in the top right of the application window, then selecting the About... menu entry. A popup window displaying the currently installed version will open.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Most Popular

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021