Remote code execution flaw found in Cisco WebEx

Researchers say exploiting the flaw is easier than checking a system for it

code

Security researchers have discovered a flaw in WebEx's WebexUpdateService that allows anyone with a login to the Windows system where Cisco's client software is installed to run system-level code remotely.

The vulnerability is "pretty unique" as it is "a remote vulnerability in a client application that doesn't even listen on a port", according to a blog post by Ron Bowes and Jeff McJunkin of Counter Hack.

When the WebEx client is installed on a system, a Windows service called WebExService is also installed that can execute commands with system-level privilege.

According to a website detailing the hack, due to poorly handled access control lists (ACLs), any local or domain user can start this service over Windows' remote service interface, except those running the client on Windows 10 (which requires an admin login).

"As far as we know, a remote attack against a 3rd party Windows service is a novel type of attack. We're calling the class "thank you for your service", because we can, and are crossing our fingers that more are out there!" Bowes said.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Bowes said that exploiting the vulnerability is "actually easier than checking for it".

"The patched version of WebEx still allows remote users to connect to the process and start it," he explained. "However, if the process detects that it's being asked to run an executable that is not signed by Webex, the execution will halt."

In an advisory, Cisco said the vulnerability is due to insufficient validation of user-supplied parameters. "An attacker could exploit this vulnerability by invoking the update service command with a crafted argument," said the advisory.

Bowes said that WebEx released a patch on 3 October and that users should make sure they're running this new client version.

"The good news is, the patched version of this service will only run files that are signed by WebEx. The bad news is, there are a lot of those out there (including the vulnerable version of the service!), and the service can still be started remotely," he said.

Advertisement - Article continues below

The Cisco advisory said that users could determine whether a vulnerable version of Cisco Webex Meetings Desktop App is installed on a Windows machine by launching the Cisco Webex Meetings application and clicking the gear icon in the top right of the application window, then selecting the About... menu entry. A popup window displaying the currently installed version will open.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020