Cisco has found a security bug that impacts remote workers using its Webex Meetings Virtual Desktop App for Windows.
With the company’s Webex Meetings one of the main enterprise options for online video meetings with teammates, the product is probably getting even higher use due to remote working as the COVID-19 pandemic rolls on across the world.
Cisco has warned that the bug in Webex Meetings Desktop App for Windows is a high-severity security flaw.
SEE: Network security policy (TechRepublic Premium)
However, it can only be exploited when Webex Meetings Desktop App is in a virtual desktop environment on a hosted virtual desktop (HVD) and configured to use the Cisco Webex Meetings virtual desktop plug-in for thin clients.
The plug-in is designed to support HVD users, such as remote workers who are connecting to a corporate network from a personal computer.
The flaw may allow an attacker to execute arbitrary code on a targeted system with the targeted user’s privileges.
“A successful exploit could allow the attacker to modify the underlying operating system configuration, which could allow the attacker to execute arbitrary code with the privileges of a targeted user,” Cisco explains in an advisory.
One mitigating factor is that the vulnerability can only be exploited by a local attacker with limited privileges who had sent a malicious message to the affected software by using the virtualization channel interface.
Nonetheless, Cisco has given the bug, tracked as CVE-2020-3588, a severity rating of 7.3 out of a possible 10.
The bug has been fixed in the Webex Meetings Desktop App for Windows releases 40.6.9 and later and 40.8.9 and later. The issue was due to the desktop app improperly validating messages.
Cisco also notes that customers must update the affected app in the HVD in the virtual desktop environment. However, the plug-in does not need to be updated.
Fortunately, Cisco’s Product Security Incident Response Team (PSIRT) has not observed any attacks in the wild and Cisco found the bug during internal testing.
Cisco is also urging customers to update Webex Meetings sites and Webex Meetings Server due to vulnerabilities affecting the Webex Network Recording Player for Windows and Webex Player for Windows.
There are three bugs that stem from the playback apps not doing enough to validate elements of Webex recordings stored in the Advanced Recording Format (ARF) – a video format for Webex – or the Webex Recording Format (WRF).
The bugs are tracked as CVE-2020-3573, CVE-2020-3603, and CVE-2020-3604. They have a severity rating of 7.8.
Attackers can exploit the flaws by sending the target a malicious ARF or WRF file through a link or email attachment, and then tricking the target into opening the file with the two Webex players.
Webex Network Recording Player is used to play back ARF files, while Webex Player is used to play back WRF files.
The playback applications are available from Cisco Webex Meetings and Cisco Webex Meetings Server.
SEE: These software bugs are years old. But businesses still aren’t patching them
The Webex Network Recording Player is available from Cisco Webex Meetings sites and Cisco Webex Meetings Server. The Cisco Webex Player is available from Cisco Webex Meetings sites but not from the Cisco Webex Meetings Server.
While Cisco’s PSIRT has not observed any malicious activity using these flaws, they were found by security researcher Francis Provencher (PRL) who reported the issue to Cisco via Trend Micro’s Zero Day Initiative.
Cisco notes there are no workarounds for this bug and has listed in its advisory the releases of Webex Meetings sites and Webex Meetings Server that need to be updated.
More on Cisco and networking security