Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.0213
Cisco Webex Multiple Vulnerabilities
24 January 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Webex
Publisher: Cisco Systems
Operating System: Windows
Linux variants
Cisco
Mac OS
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1655 CVE-2019-1641 CVE-2019-1640
CVE-2019-1639 CVE-2019-1638 CVE-2019-1637
CVE-2019-1636
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-teams
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-rce
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-meetings-xss
Comment: This bulletin contains three (3) advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Webex Teams URI Handler Insecure Library Loading Vulnerability
Priority: High
Advisory ID: cisco-sa-20190123-webex-teams
First Published: 2019 January 23 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvn02053
CVE-2019-1636
CWE-78
CVSSÂ Score:
7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cisco Webex Teams client, formerly Cisco Spark,
could allow an attacker to execute arbitrary commands on a targeted
system.
This vulnerability is due to unsafe search paths used by the application
URI that is defined in Windows operating systems. An attacker could
exploit this vulnerability by convincing a targeted user to follow a
malicious link. Successful exploitation could cause the application to
load libraries from the directory targeted by the URI link. The attacker
could use this behavior to execute arbitrary commands on the system with
the privileges of the targeted user if the attacker can place a crafted
library in a directory that is accessible to the vulnerable system.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-teams
Affected Products
o Vulnerable Products
This vulnerability affects all versions of Cisco Webex Teams prior to
version 3.0.10260, which was released on November 21, 2018.
To determine which Cisco Webex Teams version is running, users can click
their profile picture, which is between the Home icon and search field in
the application window. The user can choose Help > About to view the
version information, which is similar to the following:
Webex Teams
Version: 3.0.10260.0
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco Webex Teams versions 3.0.10260 (released on November 21, 2018) and
later contain the fix for this vulnerability.
Customers are advised to upgrade to the latest version of Cisco Webex
Teams. In the left panel of the app, click the Refresh icon (the circular
green arrow) and then click Update. If the Refresh icon is not present,
there is no update pending.
For more information, see the Cisco Webex Teams help article Update the
Cisco Webex Teams App to the Latest Release.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank rgod of 9sg Security Team, working with Trend
Micro's Zero Day Initiative, for reporting the vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
o Subscribe
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-teams
Revision History
o
+----------+---------------------------+----------+--------+------------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+------------------+
| 1.0 | Initial public release. | | Final | 2019-January-23 |
+----------+---------------------------+----------+--------+------------------+
- --------------------------------------------------------------------------------
Cisco Webex Network Recording Player Arbitrary Code Execution Vulnerabilities
Priority: High
Advisory ID: cisco-sa-20190123-webex-rce
First Published: 2019 January 23 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvm65148 CSCvm65207 CSCvm65741 CSCvm65747
CSCvm65794 CSCvm65798 CSCvm86137 CSCvm86143
CSCvm86148 CSCvm86157 CSCvm86160 CSCvm86165
CVE-2019-1637
CVE-2019-1638
CVE-2019-1639
CVE-2019-1640
CVE-2019-1641
CWE-119
CVSSÂ Score:
7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in the Cisco Webex Network Recording Player for
Microsoft Windows and the Cisco Webex Player for Microsoft Windows could
allow an attacker to execute arbitrary code on an affected system.
The vulnerabilities exist because the affected software improperly
validates Advanced Recording Format (ARF) and Webex Recording Format (WRF)
files. An attacker could exploit these vulnerabilities by sending a user a
malicious ARF or WRF file via a link or email attachment and persuading
the user to open the file with the affected software. A successful exploit
could allow the attacker to execute arbitrary code on the affected system.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-rce
Affected Products
o Vulnerable Products
These vulnerabilities affect the following versions of the Cisco Webex
Network Recording Player for Microsoft Windows and the Cisco Webex Player
for Microsoft Windows, which are available from Cisco Webex Business Suite
sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings Server:
Cisco Webex Business Suite WBS32 sites -- All Webex Network Recording
Player and Webex Player versions prior to Version WBS32.15.33
Cisco Webex Business Suite WBS33 sites -- All Webex Network Recording
Player and Webex Player versions prior to Version WBS33.6.1 or WBS
33.7.0
Cisco Webex Meetings Online -- All Webex Network Recording Player and
Webex Player versions prior to Version 1.3.40
Cisco Webex Meetings Server -- All Webex Network Recording Player
versions prior to Version 2.8MR3 SecurityPatch1 or 3.0MR2
SecurityPatch2
To determine which version of the Cisco Webex Network Recording Player or
the Cisco Webex Player is installed on a system, users can open the player
and choose Help > About.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco Webex Network Recording Player for Mac OS is not affected.
Details
o Cisco Webex Business Suite services and Cisco Webex Meetings Online are
hosted, multimedia conferencing solutions that are managed and maintained
by Cisco Webex. Cisco Webex Meetings Server is a multimedia conferencing
solution that customers host, manage, and maintain in their private
clouds.
Cisco Webex Business Suite services can be configured to allow users to
store meeting recordings online and download those recordings as ARF
files. These services can also be configured to allow users to record
meetings directly on their local computers as WRF files.
The Cisco Webex Network Recording Player is the application that is used
to play back ARF files. It is available from Cisco Webex Business Suite
sites (WBS31, WBS32, and WBS33), Cisco Webex Meetings Online, and Cisco
Webex Meetings Server. The player can be installed manually from the Cisco
Webex website or automatically when a user accesses an ARF file for
streaming playback from a Cisco Webex Business Suite site.
The Cisco Webex Player is the application that is used to play back WRF
files. It is available from Cisco Webex Business Suite sites (WBS31,
WBS32, and WBS33) and Cisco Webex Meetings Online. It is not available
from Cisco Webex Meetings Server. The player can also be installed
manually from the Cisco Webex website.
Workarounds
o There are no workarounds that address these vulnerabilities. However,
customers may remove the Cisco Webex Network Recording Player and the
Cisco Webex Player from a system by using the software-removal procedure
for the operating system. For example, to remove a player from a Microsoft
Windows 10 system, customers can use the Apps & Features app in Windows
Settings.
To remove all Cisco Webex software from a Microsoft Windows system,
customers can use the Meeting Services Removal Tool, which is available
for download from the Cisco Collaboration Help article, Cisco Webex and
3rd Party Support Utilities.
By removing the Cisco Webex Network Recording Player, a user will be
unable to play media. However, the next time media is accessed, the system
will download a new version of the software, providing the user with an
updated version.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/
tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Version Information
Cisco has fixed these vulnerabilities in the following versions of the
Cisco Webex Network Recording Player and the Cisco Webex Player:
Cisco Webex Business Suite WBS32 sites -- Webex Network Recording
Player and Webex Player Versions WBS32.15.33 and later
Cisco Webex Business Suite WBS33 sites -- Webex Network Recording
Player and Webex Player Versions WBS33.6.1 and later
Cisco Webex Meetings Online -- Webex Network Recording Player and Webex
Player Versions 1.3.40 and later
Cisco Webex Meetings Server -- Webex Network Recording Player
Versions 2.8MR3 SecurityPatch1 or 3.0MR2 SecurityPatch2 and later
Cisco has not and will not fix all these vulnerabilities in Cisco Webex
Business Suite WBS31 sites because those sites have reached the
end-of-version-support milestone. For information about this milestone and
the upgrade plans for WBS31 sites, see Cisco Webex Meetings Suite
End-of-Version Support Policy.
Customers can upgrade to a fixed version of the Cisco Webex Network
Recording Player in either of two ways:
Automatically: The player will be automatically upgraded to the latest
version of the software when a user accesses an ARF file that is
hosted on a Cisco Webex Business Suite site (WBS32 or WBS33), Cisco
Webex Meetings Online site, or Cisco Webex Meetings Server.
Manually: The player can be downloaded and installed from https://
www.webex.com/play-webex-recording.html.
Note: Customers who use locked-down Cisco Webex sites will not receive
updated versions of the Cisco Webex Network Recording Player
automatically. These customers should contact Cisco Webex Customer Support
to obtain updates or the latest version of the player from https://
www.webex.com/play-webex-recording.html.
Customers can upgrade to a fixed version of the Cisco Webex Player by
uninstalling their current version of the player and then downloading and
installing the latest version of the player from https://www.webex.com/
play-webex-recording.html.
The following table lists the Cisco bug IDs and fixed versions of the
software for each vulnerability that is described in this advisory.
Customers are advised to upgrade to an appropriate version as indicated in
the table.
Fixed Versions
Fixed Versions
Webex Meetings Webex Meetings Webex
Cisco Bug Suite Suite Meetings
ID WBS32 Sites WBS33 Sites Webex Meetings Server Online
CVE-2019-1637
CSCvm86148, 32.15.33 or 33.7.0 or later
CSCvm86157 later
CSCvm86137, 2.8MR3, 2.8MR3
CSCvm86160 SecurityPatch1, 3.0MR2
SecurityPatch2
CSCvm86143, 1.3.40
CSCvm86165
CVE-2019-1638
CSCvm65207 32.15.31 or 33.6.1 or later
later
2.8MR3, 2.8MR3
CSCvm65747 SecurityPatch1, 3.0MR2
SecurityPatch2
CSCvm65741 1.3.39
CVE-2019-1639
CSCvm65148 32.15.31 or 33.6.1 or later
later
2.8MR3, 2.8MR3
CSCvm65794 SecurityPatch1, 3.0MR2
SecurityPatch2
CSCvm65798 1.3.39
CVE-2019-1640
CSCvm97538 32.15.33 or 33.7.0 or later
later
2.8MR3, 2.8MR3
CSCvm97540 SecurityPatch1, 3.0MR2
SecurityPatch2
CSCvm97541 1.3.39
CVE-2019-1641
CSCvm97484 32.15.33 or 33.7.0 or later
later
2.8MR3, 2.8MR3
CSCvm97536 SecurityPatch1, 3.0MR2
SecurityPatch2
CSCvm97537 1.3.40
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
o Cisco would like to thank the Zero Day Initiative for reporting the
following vulnerabilities: CVE-2019-1638 and CVE-2019-1639.
Cisco would like to thank Kushal Arvind Shah and Yonghui Han of Fortinet
for reporting the following vulnerabilities: CVE-2019-1637, CVE-2019-1640,
and CVE-2019-1641.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
o Subscribe
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-rce
Revision History
o
+----------+---------------------------+----------+--------+------------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+------------------+
| 1.0 | Initial public release. | | Final | 2019-January-23 |
+----------+---------------------------+----------+--------+------------------+
- --------------------------------------------------------------------------------
Cisco Webex Meetings Server Cross-Site Scripting Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190123-meetings-xss
First Published: 2019 January 23 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvn10993
CVE-2019-1655
CWE-79
CVSSÂ Score:
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X
Summary
o
A vulnerability in the web-based management interface of Cisco Webex
Meetings Server could allow an unauthenticated, remote attacker to conduct
a cross-site scripting (XSS) attack against a user of the web-based
interface of the affected software.
The vulnerability is due to insufficient validation of user-supplied input
by the affected software. An attacker could exploit this vulnerability by
persuading a user of the interface to click a maliciously crafted link. A
successful exploit could allow the attacker to execute arbitrary script
code in the context of the affected interface or access sensitive,
browser-based information.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-meetings-xss
Affected Products
o Vulnerable Products
This vulnerability affects Cisco Webex Meetings Server. For information
about affected software releases, consult the Cisco bug ID(s) at the top
of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o For information about fixed software releases, consult the Cisco bug ID(s)
at the top of this advisory.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Deniz CEVIK from Biznet Bilisim A.S for
reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
o Subscribe
Action Links for This Advisory
o Understanding Cross-Site Scripting (XSS) Threat Vectors
Related to This Advisory
o Cross-Site Scripting
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-meetings-xss
Revision History
o
+----------+---------------------------+----------+--------+------------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+------------------+
| 1.0 | Initial public release. | -- | Final | 2019-January-23 |
+----------+---------------------------+----------+--------+------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXElFFWaOgq3Tt24GAQiU0hAApbEzqOZBLz1QQexKAeNGKXWmta+yLs2Y
vQfXHpqS5lbow/Zj2rXMhw6j+w4vWi3uIEIEHUd1PFclvcMNGjeg96I4H8d9/pVg
GV9QhnrQagRI4CITTX9/QtQgwEeldMkhu5dKd5MvyS9jHZuLnPvdIFIJNqozyCUT
FAd11LqyziC3apIvH8nCJq3PesI8yVdudwmooc3+gHUc7q+L7ViLnIn+ZUyJeadP
IzSFpOOmP3QpJzNT0UJwh9we8pgmddYyUTUTb2vO25dLvFh1J64syd6C+LJKWm/0
tWyeFmmpykbR3DZYoRpTF4VcDaGBOxinJiZWvR0cmHv77XJaZVn4ZdHMzxJRBqSq
m90QndsZ6s5bxpqP60SMaLUf7cdIGfi7mlZHwN42lS9uWKUr+tS5kR9f1ad+UxEq
04OhzT5IaalapapU3NCqi2D5QlUkDdS4xnflQ6TpdRYiEVHjMp7AHpzhs6yliYQY
q9Hi0hP1pUWonIYRQm/Iw4se6JK+qUm4YyPKCvbLYhYYwWpKME7x4Ar7maiyvG40
YjRjf7yw/Xnn8TVvcPZcrMrygwene9qHDTh+4I1xXSO1Q39/qdxIEN9dyeITdOHg
7+rqUVyVFviyvFiMY6N9TqM+nttNqBdE1TP7ifUQThIdsxX26yvBYHyOrRjhTT3b
Zx2BeEq3i0o=
=w+rp
-----END PGP SIGNATURE-----