Cisco launches patches for vulnerabilities in WEBEX Meetings app

Users are encouraged to install updates as soon as possible

Cisco has launched a security update set for Webex Meetings that resolves a vulnerability that, if exploited, could grant the attacker an escalation of privileges, as reported by experts in digital forensics and cybersecurity from the International Institute of Cyber Security.

The vulnerability, tracked as CVE-2018-15442, resides in the Cisco Webex Meetings Desktop for Windows app and, according to the company security report, “it could allow an authenticated local attacker to execute arbitrary commands as a user with high privileges”.

An error in validating the parameters provided by the user in the app has caused the problem, as reported by experts in digital forensics. The vulnerability can be exploited by a malicious agent by invoking the Service Update command with an argument elaborated specifically to exploit the error.

This could force the system to execute arbitrary commands with system user privileges.

According to the Cisco security notice, all versions of the Cisco Webex Meetings Desktop app prior to the 33.6.0 and the Cisco Webex productivity tool versions 32.6.0 and subsequent to the 33.0.5 version on the operating system Microsoft Windows are affected by the flaw, so you need to install the updates in these implementations.

There are no known alternative solutions, so to protect the systems against this vulnerability, which is considered “important”, administrators must apply the Cisco fix or wait for their systems to perform the updates automatically.

The alert issued by the Webex Meetings team was issued at the same time as a warning for critical vulnerability, a recently disclosed LIBSSH error, affecting vendors using the library.

CVE-2018-10933, disclosed a few days ago, is an authentication vulnerability that allows unauthorized remote attackers to access a specific system, report experts in digital forensics.

Providers, including F5 and Red Hat, are known to have also been affected by the vulnerability, considered to have a “trivial exploitation”. Cisco recently confirmed that the security flaw also affects their products.

Earlier this month, the company had already solved two major vulnerabilities in the software of its Digital Network Architecture center (DNA). If exploited, these flaws could allow remote attackers to take control of identity management functions as well as access central management functions.