First published: Wed Feb 27 2019(Updated: )
A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Webex Meetings | ||
Cisco WebEx Productivity Tools |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The cisco-sa-20190227-wmda-cmdinj vulnerability is considered high severity due to its potential to allow privileged command execution.
To fix cisco-sa-20190227-wmda-cmdinj, ensure that you update to the latest versions of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools.
cisco-sa-20190227-wmda-cmdinj affects users of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows.
The cisco-sa-20190227-wmda-cmdinj vulnerability is caused by insufficient validation of user-supplied data in the update service.
No, exploitation of cisco-sa-20190227-wmda-cmdinj requires local authentication to the affected application.