Cisco has discovered a safety bug that impacts distant employees utilizing its Webex Conferences Digital Desktop App for Home windows.
With the corporate’s Webex Conferences one of many important enterprise choices for on-line video conferences with teammates, the product might be getting even larger use because of distant working because the COVID-19 pandemic rolls on the world over.
Cisco has warned that the bug in Webex Conferences Desktop App for Home windows is a high-severity safety flaw.
Nonetheless, it may solely be exploited when Webex Conferences Desktop App is in a digital desktop atmosphere on a hosted digital desktop (HVD) and configured to make use of the Cisco Webex Conferences digital desktop plug-in for skinny shoppers.
The plug-in is designed to assist HVD customers, similar to distant employees who’re connecting to a company community from a private laptop.
The flaw could permit an attacker to execute arbitrary code on a focused system with the focused consumer’s privileges.
“A profitable exploit might permit the attacker to change the underlying working system configuration, which might permit the attacker to execute arbitrary code with the privileges of a focused consumer,” Cisco explains in an advisory.
One mitigating issue is that the vulnerability can solely be exploited by a neighborhood attacker with restricted privileges who had despatched a malicious message to the affected software program by utilizing the virtualization channel interface.
Nonetheless, Cisco has given the bug, tracked as CVE-2020-3588, a severity score of seven.three out of a attainable 10.
The bug has been mounted within the Webex Conferences Desktop App for Home windows releases 40.6.9 and later and 40.8.9 and later. The problem was because of the desktop app improperly validating messages.
Cisco additionally notes that clients should replace the affected app within the HVD within the digital desktop atmosphere. Nonetheless, the plug-in doesn’t must be up to date.
Thankfully, Cisco’s Product Safety Incident Response Group (PSIRT) has not noticed any assaults within the wild and Cisco discovered the bug throughout inside testing.
Cisco can also be urging clients to replace Webex Conferences websites and Webex Conferences Server because of vulnerabilities affecting the Webex Community Recording Participant for Home windows and Webex Participant for Home windows.
There are three bugs that stem from the playback apps not doing sufficient to validate components of Webex recordings saved within the Superior Recording Format (ARF) – a video format for Webex – or the Webex Recording Format (WRF).
The bugs are tracked as CVE-2020-3573, CVE-2020-3603, and CVE-2020-3604. They’ve a severity score of seven.8.
Attackers can exploit the failings by sending goal into opening a malicious ARF or WRF file by way of a hyperlink or electronic mail attachment, after which tricking the goal into opening the file with the 2 Webex gamers.
Webex Community Recording Participant is used to play again ARF recordsdata, whereas Webex Participant is used to play again WRF recordsdata.
The playback functions can be found from Cisco Webex Conferences and Cisco Webex Conferences Server.
The Webex Community Recording Participant is out there from Cisco Webex Conferences websites and Cisco Webex Conferences Server. The Cisco Webex Participant is out there from Cisco Webex Conferences websites however not from the Cisco Webex Conferences Server.
Whereas Cisco’s PSIRT has not noticed any malicious exercise utilizing these flaws, they had been discovered by safety researcher Francis Provencher (PRL) who reported the problem to Cisco by way of Pattern Micro’s Zero Day Initiative.
Cisco notes there aren’t any workarounds for this bug and has listed in its advisory the releases of Webex Meetings sites and Webex Meetings Server that need to be updated.