Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1765.2 Cisco WebEx Browser Extension Remote Code Execution Vulnerability 24 July 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco WebEx extensions for Google Chrome Cisco WebEx extensions for Mozilla Firefox Cisco WebEx Desktop Applications Publisher: Cisco Systems Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-6753 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex Revision History: July 24 2017: Included browser auto-update information. July 18 2017: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco WebEx Browser Extension Remote Code Execution Vulnerability Critical Advisory ID: cisco-sa-20170717-webex First Published: 2017 July 17 16:00 GMT Last Updated: 2017 July 19 23:01 GMT Version 1.2: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvf15012 CSCvf15020 CSCvf15030 CVSS Score: Base 9.6, Temporal 9.6 Base 9.6, Temporal 9.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X CVE-2017-6753 CWE-119 Summary A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows. The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. Cisco has released software updates for Google Chrome and Mozilla Firefox that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex Affected Products Vulnerable Products This vulnerability affects Cisco WebEx extensions for Windows when running on most supported browsers. The affected browsers are Google Chrome and Mozilla Firefox. The following versions of the Cisco WebEx browser extensions are affected by the vulnerability described in this document: Versions prior to 1.0.12 of the Cisco WebEx extension on Google Chrome Versions prior to 1.0.12 of the Cisco WebEx extension on Mozilla Firefox Customers can use the following steps to determine which versions of the Cisco WebEx extensions are being used. Google Chrome Chrome users can determine the version of the Cisco WebEx extension for Google Chrome by doing the following: In Chrome, click the menu button (three dots at the upper right of the application) and choose More Tools > Extensions The extension version is listed next to the Cisco WebEx extension name. The Cisco WebEx extension for Google Chrome identification string, which organizations can use to identify hosts that contain the extension, is the following: jlhmfgmfgeifomenelglieieghnjghma Mozilla Firefox Firefox users can determine the version of the Cisco WebEx extension for Mozilla Firefox by doing the following: In Firefox, click the menu button (three horizontal bars at the upper right of the application) and choose Add-ons Click the Extensions tab Locate Cisco WebEx Extension in the list of extensions and click the More link to obtain the version information Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following products: Cisco WebEx Productivity Tools Cisco WebEx browser extensions for Mac or Linux Cisco WebEx on Microsoft Edge or Internet Explorer Workarounds There are no workarounds that address this vulnerability. However, Windows users may use Internet Explorer and administrators and users of Windows 10 systems may use Microsoft Edge to join and participate in WebEx sessions because Microsoft Internet Explorer and Microsoft Edge are not affected by this vulnerability. Additionally, administrators and users can remove all WebEx software from a Windows system by using the Meeting Services Removal Tool, which is available from https://help.webex.com/docs/DOC-2672. Fixed Software Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases To resolve the vulnerability, users must ensure that they have updated versions of the following: Cisco WebEx extensions for Google Chrome or Mozilla Firefox Cisco WebEx Desktop Applications For the latest information about fixes for the following products, consult the appropriate Cisco bug ID: Cisco WebEx Meeting Center: CSCvf15012 Cisco WebEx Event Center: CSCvf15036 Cisco WebEx Training Center: CSCvf15033 Cisco WebEx Support Center: CSCvf15037 Cisco WebEx Meetings Server: CSCvf15020 Cisco WebEx Meetings: CSCvf15030 Browser Updates The following subsections provide instructions for updating the Cisco WebEx browser extensions. Customers can allow their browsers to auto-update by launching the browser and keeping the browser window open for 3-6 hours, during which time the extensions will be auto-updated. Note: Should the browser window close before the auto-update check completes, the timer will reset, requiring a browser window to be launched at a later time and remain open for 3-6 hours to receive the update. Google Chrome The Cisco WebEx extension for Google Chrome version 1.0.12 was released on July 13, 2017, and contains a fix for this vulnerability. Chrome users can ensure they are using the fixed version of the Cisco WebEx extension for Google Chrome by doing the following: In Chrome, click the menu button (three dots at the upper right of the application) and choose More Tools > Extensions. Check the Developer mode check box at the top of the extensions manager. Chrome will display a row of buttons. Click the Update extensions now button. Restart the Chrome browser. Mozilla Firefox The Cisco WebEx extension for Mozilla Firefox version 1.0.12 was released on July 12, 2017, and contains a fix for this vulnerability. Firefox users can ensure they are using the fixed version of the Cisco WebEx extension for Mozilla Firefox by doing the following: In Firefox, click the menu button (three horizontal bars at the upper right of the application) and choose Add-ons Click the Extensions tab Locate Cisco WebEx Extension in the list of extensions and click the More link to obtain the version information Click the cogwheel next to the search bar and choose Check for Updates Microsoft Internet Explorer Because there are shared components between the Google Chrome and Mozilla Firefox extensions and Internet Explorer, Internet Explorer users will be prompted to update Cisco WebEx plug-ins. The plug-ins are available as part of the Cisco WebEx client packages associated with each WebEx product, and will be available to download after a WebEx site has been upgraded to a fixed version. Upgraded clients are available from the Downloads section of each site after an upgrade has been performed. Users that connect to an upgraded site without the updated client software may be prompted to perform an online upgrade. Customers may check that the browser plug-in upgrade was successful by using the following procedures for Microsoft Internet Explorer: Note: The registered name of the plug-in in Internet Explorer may differ based on the installation method used for the plug-in. The version of the plug-in depends on the version of Cisco WebEx that provided the update. The update may have been applied either via the web when joining a WebEx meeting or by a local update of the client via an MSI file. When a fixed version of the plug-in from any version of Cisco WebEx is installed, it will not be downgraded or changed to a version installed by a different fixed version of Cisco WebEx. Internet Explorer users can ensure they are using the fixed version of the plug-in for Internet Explorer by doing the following: In Internet Explorer, click the Tools button (the cog icon at the upper right of the application) and choose Manage add-ons. - From the Show drop-down menu, choose All add-ons. Select either the Download Manager or GpcContainer Class add-on under Cisco WebEx LLC. The version number is displayed at the bottom of the Manage add-ons window. Validate that the Download Manager version or GpcContainer Class version displayed is one of the version strings in the following table: Cisco WebEx Major Version Fixed GPC Container or Download Manager Version 32.3.4.5 10032.3.2017.711 31.14.3.30 10031.14.2017.711 31.11.11 10031.11.2017.0713 30.20.3.10012 10030.100.2017.0711 30.9.3 10030.100.2017.0713 30.6.7 10030.100.2017.0713 Validating Cisco WebEx Desktop Application Product Upgrades Cisco has released fixes for all major versions for Cisco WebEx Desktop Application for use with following products: Cisco WebEx Meeting Center Cisco WebEx Event Center Cisco WebEx Training Center Cisco WebEx Support Center Cisco WebEx Meetings Cisco WebEx Major Version Fixed Desktop Application Version WBS32 32.3.4.5 WBS31 31.14.3, 31.11.11 WBS30 30.20.3, 30.9.3, 30.6.7 Note: There are no fixes available for WBS29. Current WebEx customers can confirm that their site has received updated software by reviewing the Application Version information in the Support section of their WebEx page. Perform the following steps to view this information: Sign in to your WebEx account Click the Meeting Center tab Under Support, click Downloads The Application Version is displayed on the right side of the screen under the About Meeting Center heading If you have not automatically received the update, please contact Cisco Support or a Cisco partner. Note: The clients for all licensed features of a Cisco WebEx product must be upgraded to ensure compatibility with the deployed site application version. Upgrading a single client will resolve the vulnerability documented by CVE-2017-6753. The following clients are available: Cisco WebEx Meeting Center Client Cisco WebEx Event Center Client Cisco WebEx Training Center Client Cisco WebEx Support Center Client Cisco WebEx Access Anywhere Client Cisco WebEx Remote Access Client Cisco WebEx Meetings Cisco has released a fix for Cisco WebEx Meetings. Cisco WebEx Meetings Software has been upgraded to T30.20.3. Cisco WebEx Meetings Server Customers who have deployed Cisco WebEx Meetings Server, the onsite Cisco WebEx offering, can download updated software at https://software.cisco.com/download/navigator.html?mdfid=282628019&flowid=76922 or choose the following options from the Cisco Software Center: Products > Conferencing > Web Conferencing > WebEx Meetings Server Cisco WebEx Meetings Server version 2.6 customers should migrate to Cisco WebEx Meetings Server 2.7 or later. The following releases of Cisco WebEx Meetings Server have been updated to address this vulnerability: WebEx Meetings Server 2.7MR2 Patch 9 WebEx Meetings Server 2.8 Patch 3 Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source This vulnerability was reported to Cisco by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security. URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex Revision History Version Description Section Status Date 1.2 Included browser auto-update information. Fixed Software Final 2017-July-19 1.1 Modified workarounds section. Workarounds Final 2017-July-18 1 Initial public release. Final 2017-July-17 LEGAL DISCLAIMER THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWXVrgIx+lLeg9Ub1AQjyWA//XYP6clhG3E/5/3fLE/xcwr61OkGFzopr CNH0lZUiI8wo664DJvwRgFf8sKdcmyK7riURZJ1Xd7JxGNUFVB6l6ZxDWm7OW1+f +q3juxsMMFbnUNqqQ2H9+kESH+TIaIIcPeb3hru8RrN+o0fhJiTVYxj+dXpSgV+7 8DKk4govvAdFmEMOi7QYAZz9f/CENmsZtdy3QcIIkulg86UDQdCsYWOV4XMlTpE6 SNBZG3GyBnjvJjpdRf/u62X8H+TtnJ0+JsuE/nk/ZXsquWbF7OOS0glwSwW5sklh IlRKm1wAv2NP6DfpIlkbp+xs7IpTGnGurkpA6uxISfJ9tC8PRxdwMCCIUq9TvPSR qyKAuSKkcpjyeSxwpZ26J+OAOm1i+SW6LGsDGrti4+dRvLYDJJPUdo8BIpH4W87Q nqviXjg3192npTQ94xVjI9GlrPSN8/yvb5iBbBfKTGO1Ce4Wy2vV40XCVXjjp3ZJ J2mBnZxAI9c793wM99s+z5MDBibzYkHBsmmURzEpxZeTwqGP163Fsip3SN/Jnbiw 6WpJQfKsPwlxsZdnzQUPauoS0g5+cGc0gCrevIkXiDd2mZF4KtUtPkjegQJSdJVJ wPJWbMkyGD/wdrnJgR2MJZZYX+Nljv+upllad178KL86Pd6PFopVE1xU05K2ConK D4J7odcoZmU= =ov7n -----END PGP SIGNATURE-----