Cisco issued a security update for Webex Meetings. The update must close a vulnerability that needs to be exploited that can lead to privilege escalation. Due to the error in the Windows desktop app, “a local attacker can execute random commands as a user with privileges”.
The problem is caused by the fact that the parameters provided by the user are not sufficiently validated. An attacker can abuse this by updating the service command with his own argument. This allows the system to execute arbitrary commands with the privileges of system users.
The vulnerability occurs in all versions of the desktop app for Windows for 33.6.0, and in the Cisco Webex Productivity Tools 32.6.0 and later, and for versions 33.0.5 on Windows. Moreover, there is no other way for users to protect themselves from the vulnerability, so the only solution is to install the update.
Other vulnerabilities
The vulnerability was disclosed at the same time as another vulnerability: the libssh-bug, which has an impact on vendors who use the library. The error was announced last week. Attackers can thus gain remote access to a system.
Last month, Cisco solved two other vulnerabilities in the Digital Network Architecture Center. If abused, remote attackers could take control of identity management functions, as well as access key management functions.
In September, a patch was released for the Video Surveillance Manager. Due to an error in that software, credentials were hardcoded in the root account. This allowed hackers to control an affected system as root users, should they discover the credentials. Also then it was recommended to install the update as soon as possible.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.