Cisco WebEx clients remote code execution vulnerability

Advisory: CERT.be Advisory #2018-010
Version: 1.0
Reference: CVE-2018-0112
CVSS: 9.0
Affected software: Cisco WebEx Business Suite clients, Cisco WebEx Meetings and Cisco WebEx Meetings Server
Type: Unauthorized remote access / arbitrary code execution

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

Risks

CERT.be recommends systems administrators to install the latest updates to the Cisco WebEx softwares. The vulnerability, tracked as CVE-2018-0112 presents the following risks: Unauthorized remote access and arbitrary code execution.

Summary

A vulnerability in Cisco WebEx Business Suite clients, Cisco WebEx Meeting and Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability is due to insufficient input validation by the Cisco WebEx clients. An attacker could exploit this vulnerability by providing meeting attendees with a malicious Flash (.swf) file via the file-sharing capabilities of the client. Exploitation of this vulnerability could allow arbitrary code execution on the system of one or more targeted users.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Vulnerable Products

The vulnerability described in this advisory affects the clients installed by customers when accessing a WebEx meeting. The following client builds of Cisco WebEx Business Suite, Cisco WebEx Meetings, and Cisco WebEx Meetings Server are impacted by the vulnerability described in this advisory:
• Cisco WebEx Business Suite (WBS31) client builds prior to T31.23.2
• Cisco WebEx Business Suite (WBS32) client builds prior to T32.10
• Cisco WebEx Meetings with client builds prior to T32.10
• Cisco WebEx Meetings Server builds prior to 2.8 MR2
To determine whether a Cisco WebEx Business Suite site is running an affected version of the WebEx client build, users can log in to their Cisco WebEx meeting site and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under About Meeting Center.
Alternatively, version information of the Cisco WebEx meeting client can be accessed from within the Cisco WebEx meeting client. Version information for the Cisco WebEx meeting client on Windows and Linux platforms can be viewed by choosing Help > About Cisco WebEx Meeting Center.
Version information for the Cisco WebEx meeting client on Mac platforms can be viewed by choosing Meeting Center > About Cisco WebEx Meeting Center.

Remediation

Cisco has released free software updates that address the vulnerability described in this advisory.