Cisco has released security updates for a series of flaws its Webex Network Recording Player that a remote attacker can use to take control of a system running the software.
Cisco has supplied fixes for three CVEs that it says “could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system”.
The flaws are specific to Cisco Webex Network Recording Player’s file format Advanced Recording Format, or .ARF.
The Webex Network Recording Player is an enterprise tool that lets users replay meeting, events, and training sessions recorded with a Webex server and saved in .ARF.
The events can be recorded with various Webex modules, like Webex Meetings, Webex Events, and Webex Training. Users can download an .ARF file using Cisco’s player software or stream it if they receive a link.
The bugs can be exploited if an attacker sent targets a link or email attachment with a malicious file and tricked them into opening the Cisco Webex Player, which would allow the attacker to execute arbitrary code on an affected system, according to Cisco.
But admins may also need to check the exact configuration of Webex Meetings services they’re running as content can be stored online and downloaded by a user in .ARF, but meetings can also be recorded directly on local computers in .WRF format. The latter is not impacted.
Cisco notes that Windows, OS X, and Linux versions of Cisco Webex Network Recording Player. Windows, OS X, and Linux are all affected by at least one vulnerability outlined in its advisory.
ARF recording players affected include Cisco Webex Meetings Suite sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings Server. Specific versions of these products that are affected include:
- Cisco Webex Meetings Suite (WBS32) - Webex Network Recording Player versions prior to WBS32.15.10
- Cisco Webex Meetings Suite (WBS33) - Webex Network Recording Player versions prior to WBS33.3
- Cisco Webex Meetings Online - Webex Network Recording Player versions prior to 1.3.37
- Cisco Webex Meetings Server - Webex Network Recording Player versions prior to 3.0MR2
Cisco notes there are no workarounds for these bugs, so for customers with a valid license an update must be installed. Organizations that don’t have a current license but may have users with the affected software installed on clients can remove Cisco Webex Network Recording Player and Cisco Webex Player. Cisco has provided instructions in the advisory.
The flaws were reported by a formerly Australian-based security researcher Steven Seeley of Source Incite via Trend Micro’s Zero Day Initiative. Seeley’s website lists 17 distinct flaws affecting the WebEx Network Recording Player that he reported to Trend Micro, though Cisco only attributed two CVEs — CVE-2018-15414 and CVE-2018-15422 — to the researcher in its advisory.