Cisco patched a command injection vulnerability in Webex Meetings

Two security researchers recently announced that Cisco’s WebEx online video conferencing software was affected by a critical vulnerability that could be exploited to provide permissions and execute arbitrary commands.

The vulnerability was discovered by Ron Bowes and Jeff McJunkin from Counter Hack and was named “WebExec.” To make the public more aware of the vulnerability, two security researchers have also set up a website (webexec.org) for it.

The vulnerability was tracked as CVE-2018-15442, which was notified to Cisco in early August and the fix was released within two months. Cisco negotiated the disclosure of the vulnerability with two security researchers, and there is no evidence that it has been used for malicious purposes.

From the information presented by webexec.org, WebExec is a vulnerability that exists in the Cisco WebEx client software. When installing the WebEx client, a Windows service called “WebExService” will also be installed, and the service can execute arbitrary commands with the SYSTEM account privileges. Due to an inappropriate Access Control List (ACL), any local or domain user can start the process through the window’s remote service interface (except Windows 10, which requires an administrator login).

WebEx software affected by this vulnerability includes all versions before Cisco Webex Meetings Desktop App 33.5.6 and all versions between Cisco Webex Productivity Tools 32.6.0 through 33.0.5. The vulnerability is currently fixed in Cisco Webex Meetings Desktop App 33.5.6 and 33.6.0, and Cisco Webex Productivity Tools 33.0.5 and later. An additional mention is that since the release of Cisco Webex Meetings 33.2.0, Cisco Webex Productivity Tools has been replaced by the Cisco Webex Meetings Desktop App.

On webexec.org, Ron Bowes and Jeff McJunkin also provide proof-of-concept (PoC) code based on Nmap (Network Scanning and Sniffing Toolkit for Linux) and Metasploit (an open source vulnerability detection tool) for taking advantage of this vulnerability. Besides, they also provide a vulnerability checker (a Nmap script) that allows us to check if our system is affected by the vulnerability.