cisco-sa-20181024-webex-injection: Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
First published: Wed Oct 24 2018(Updated: )
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. After an additional attack method was reported to Cisco, the previous fix for this vulnerability was determined to be insufficient. A new fix was developed, and the advisory was updated on November 27, 2018, to reflect which software releases include the complete fix. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection
Credit: Ron Bowes Counter HackJeff McJunkin Counter HackCisco would also like to thank the following researchers for independently reporting an additional attack that affected the previously fixed releases:
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Webex Meetings |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of cisco-sa-20181024-webex-injection?
The severity of cisco-sa-20181024-webex-injection is considered high due to its potential for arbitrary command execution by an authenticated local attacker.
How do I fix cisco-sa-20181024-webex-injection?
To fix cisco-sa-20181024-webex-injection, update the Cisco Webex Meetings Desktop App to the latest version that contains the security patch.
What causes the cisco-sa-20181024-webex-injection vulnerability?
The cisco-sa-20181024-webex-injection vulnerability is caused by insufficient validation of user-supplied parameters in the update service of the Cisco Webex Meetings Desktop App.
Who is affected by cisco-sa-20181024-webex-injection?
The cisco-sa-20181024-webex-injection vulnerability affects users of the Cisco Webex Meetings Desktop App for Windows.
What types of attacks can exploit cisco-sa-20181024-webex-injection?
Exploitation of cisco-sa-20181024-webex-injection could allow an attacker to execute arbitrary commands on the affected system as a privileged user.
- agent/type
- agent/event
- agent/last-modified-date
- agent/first-publish-date
- collector/cisco-advisory
- source/Cisco
- agent/references
- agent/severity
- agent/title
- agent/weakness
- agent/author
- agent/description
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco webex meetings