Cisco Patches WebEx Remote Code Execution Vulnerability


Cisco's WebEx is among the most widely used collaboration and meeting tools on the internet today. While Cisco has its own security resources, the company didn't find a set of critical flaws in WebEx on its own and instead they were found by third party security researchers.

In its own advisory, Cisco refers to the vulnerability as a Cisco WebEx Browser Extension Remote Code Execution Vulnerability, which is also identified as CVE2017-6753. Google Project Zero security researcher Tavis Ormandy, who is credited with first discovering the issue along with Cris Neckar from Divergent Security, refers to it as WebEx Various GPC Sanitization bypasses permit Arbitrary Remote Command Execution.

"A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system," Cisco's advisory warns.

Rather than being an authentication protocol implementation issue, Cisco referred to the issues as a 'design defect' in the extension.

"An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability," Cisco stated. "If successful, the attacker could execute arbitrary code with the privileges of the affected browser."

Sanitization in code is an effort to make sure that potentially malicious code is not injected into a process.

"I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them," Ormandy wrote in his disclosure. " This extension has over 20M active Chrome users alone, FireFox and other browsers are likely to be affected as well."

Ormandy first reported the issue on July 6 and got a response from Cisco the same day. After some back and forth discussion and development, a fix for the full issue was developed by July 12.

"That was quick, Cisco sent me a draft of version 1.0.12 that verifies the object is a String," Ormandy wrote in a bug filing report. "I believe we're just waiting for them to push the fixes to the binary components, upload the final new extension version, and then we can consider this resolved."

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.