Cisco has released security updates for a variety of its offerings, including some that fix critical remote code execution vulnerabilities in Webex software, Cisco Secure ACS (its policy-driven access control system), and a servlet included in two of its products.
Webex flaw (CVE-2018-0264)
If you use Cisco’s WebEx videoconferencing software and you haven’t implemented the security update released last month, you should definitely get patching right now as your computer can be compromised by simply opening a recording of a past online meeting.
The vulnerability is present in Cisco Webex Network Recording Player for Advanced Recording Format (ARF) files, and can be exploited by unauthenticated, remote attackers: they only need to booby-trap an ARF file, send it or a link to it to a user, and wait for it to be opened.
The ARF file format is used to store Webex meeting recordings that have been recorded on a Webex meeting site or on the computer of an online meeting attendee.
The Cisco Webex ARF Player is used to play back and edit Webex ARF recording files. The application can be installed automatically when a user accesses a recording file that is hosted on a Cisco Webex Meetings site (for streaming playback mode) or manually after downloading the application (for offline playback of recording files).
There is no workaround for the flaw – if you don’t want to risk getting hit with an exploit, either install the offered security update for Webex Business Suite, Webex Meetings, and Webex Meeting Server or remove the software from your system.
The vulnerability was discovered by Kushal Arvind Shah of Fortinet’s FortiGuard Labs and there is no indication that it is currently being exploited in the wild.
The updates for the Webex software also include a fix for a less critical RCE unearthed by the same researcher.
The other two critical RCE vulnerabilities
The first one (CVE-2018-0253), affecting all releases of Cisco Secure ACS prior to Release 5.8 Patch 7, could be triggered by the target opening a specially crafted Action Message Format (AMF) message that contains malicious code, allowing the attacker to execute arbitrary commands on the ACS device.
The second one (CVE-2018-0258) affects the Cisco Prime File Upload servlet included in Cisco Prime Data Center Network Manager (DCNM), version 10.0 and later, and all versions of Cisco Prime Infrastructure (PI).
“An attacker could exploit this vulnerability by uploading a crafted Java Server Pages (JSP) file to a specific folder using path traversal techniques and then executing that file remotely. An exploit could allow the attacker to execute arbitrary commands on the affected device with the privileges of the SYSTEM user,” Cisco noted.
Both vulnerabilities have been reported to Cisco by security researchers and the Cisco Product Security Incident Response Team is not aware of any public announcements or malicious use of them.