Triggered via malicious files, flaws in Cisco WebEx players can lead to RCE

Cisco has plugged six security holes in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files that could be exploited by remote attackers to execute malicious code on a target system.

Cisco WebEx flaws

“The ARF and WRF file formats are used to store WebEx meeting recordings that have been recorded on a WebEx meeting site, or on the computer of an online meeting attendee,” the company explained.

“The Cisco WebEx players are applications that are used to play back WebEx meeting recordings that have been recorded by an online meeting attendee. The player can be automatically installed when the user accesses a recording file that is hosted on a WebEx server.”

Vulnerability exploitation

Exploitation of the vulnerabilities can be triggered via malicious ARF or WRF files. Attackers can send such a file as an attachment, or provide a link to it in an email. In both cases, they have to convince users to download and open the malicious file.

The company made sure to note that the vulnerabilities can’t be triggered by users who are attending a WebEx meeting.

Users of Cisco WebEx Business Suite, Cisco WebEx Meetings, and Cisco WebEx Meeting Server should check whether their installations are vulnerable and implement the provided security updates (if they haven’t by now made sure to receive automatic software updates). Instructions on how to do so are provided in the security advisory.

The good news is that vulnerabilities were discovered and reported by security researchers, and there is currently no indication that they are being exploited in the wild.

But, with their existence having now been made public, attackers could quickly move to create exploits and target businesses, so updating the software to the latest release as soon as possible is advisable.

There are no workarounds for these issues, Cisco added. The only thing left to do if you can’t upgrade is to remove all WebEx software completely from a system.