From 'WebEx' to 'WebExec' to 'WTF, my PC!' Cisco rapped in chat app security flap

Sorry to spoil your day, Cisco admins and users, but it's time to patch Webex, again.

A freshly disclosed exploitable security bug lies within Cisco Webex Meetings Desktop App for Windows, and while it's a privilege escalation bug one step below “critical”, and sitting pretty at "high," CVE-2018-15442 can be remotely abused in some circumstances.

Cisco described the programming blunder thus: “The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.”

Malware running locally on a machine, or a malicious logged-in user, could abuse this hole to gain system administrator rights, if the box is running a vulnerable edition of Webex, and thoroughly compromise it with spyware and so on. A remote attack would have to come via the corporate network: "administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools," Cisco pointed out.

The bug's discoverers, Ron Bowes and Jeff McJunkin of Counter Hack, provided an outline of what they've dubbed WebExec, here. The duo said the coding cockup has a peculiar characteristic: “it's a remote vulnerability in a client application that doesn't even listen on a port.”

Installing the WebEx client also installs WebExService, they explained, and this software can execute arbitrary commands as a system admin, rather than in the user's security context. “Due to poor ACLs, any local or domain user can start the process over Window's remote service interface (except on Windows 10, which requires an administrator login)”, they continued.

The pair also created Nmap and Metasploit scripts to check for the vulnerability and demonstrate exploits.

Too easy

In his technical writeup of the bug, Bowes noted that “exploiting the vulnerability is actually easier than checking for it!” He continued: “The patched version of WebEx still allows remote users to connect to the process and start it. However, if the process detects that it's being asked to run an executable that is not signed by Webex, the execution will halt.”

So, in short: if you're a user, or sysadmin, check which version of Webex is installed, and upgrade as necessary. Cisco noted: “This vulnerability affects all Cisco Webex Meetings Desktop App releases prior to 33.6.0, and Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.5, when running on a Microsoft Windows end-user system.”

If you're in the mood for some good news after all that: Switchzilla continues to comb its products for the libssh bug that popped up earlier this month, and so far hasn't identified any vulnerable offerings. ®