Remote code execution flaw found in Cisco WebEx

Researchers say exploiting the flaw is easier than checking a system for it

code

Security researchers have discovered a flaw in WebEx's WebexUpdateService that allows anyone with a login to the Windows system where Cisco's client software is installed to run system-level code remotely.

The vulnerability is "pretty unique" as it is "a remote vulnerability in a client application that doesn't even listen on a port", according to a blog post by Ron Bowes and Jeff McJunkin of Counter Hack.

When the WebEx client is installed on a system, a Windows service called WebExService is also installed that can execute commands with system-level privilege.

According to a website detailing the hack, due to poorly handled access control lists (ACLs), any local or domain user can start this service over Windows' remote service interface, except those running the client on Windows 10 (which requires an admin login).

"As far as we know, a remote attack against a 3rd party Windows service is a novel type of attack. We're calling the class "thank you for your service", because we can, and are crossing our fingers that more are out there!" Bowes said.

Bowes said that exploiting the vulnerability is "actually easier than checking for it".

"The patched version of WebEx still allows remote users to connect to the process and start it," he explained. "However, if the process detects that it's being asked to run an executable that is not signed by Webex, the execution will halt."

In an advisory, Cisco said the vulnerability is due to insufficient validation of user-supplied parameters. "An attacker could exploit this vulnerability by invoking the update service command with a crafted argument," said the advisory.

Bowes said that WebEx released a patch on 3 October and that users should make sure they're running this new client version.

"The good news is, the patched version of this service will only run files that are signed by WebEx. The bad news is, there are a lot of those out there (including the vulnerable version of the service!), and the service can still be started remotely," he said.

The Cisco advisory said that users could determine whether a vulnerable version of Cisco Webex Meetings Desktop App is installed on a Windows machine by launching the Cisco Webex Meetings application and clicking the gear icon in the top right of the application window, then selecting the About... menu entry. A popup window displaying the currently installed version will open.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021