Cisco addresses severe security flaw in Webex through software update
In a recent development, Cisco has identified a high-severity arbitrary code execution vulnerability in the Webex Meetings Desktop App for Windows. This vulnerability, discovered during Cisco's routine internal security testing, could potentially allow attackers to execute unauthorized actions.
The bug is specific to the Webex Meetings Desktop App for Windows and is exploitable only under certain conditions. The affected configurations include the Cisco Webex Meetings Desktop App, particularly versions that may not have the latest security updates or that rely on outdated protocols such as older TLS versions. Specific vulnerable setups are those not updated to support TLS 1.2 or 1.3 and older integrations with certain browsers or scheduling extensions that have reached end of support. Users of legacy integrations like Cisco Webex Scheduler for Google Chrome Extension and Internet Explorer are also affected.
The vulnerability lies in improper messages validation processes within the app. Attackers could exploit this by sending malicious messages to the affected software using the virtualization channel interface. It's important to note that this vulnerability does not impact on-premise users of Webex Meetings Server.
Cisco has released updates to resolve the vulnerability, but there are no workarounds that address this issue. Given the nature of the vulnerability, it's crucial for users to apply the updates as soon as possible.
The scope of the vulnerability includes apps on a virtual desktop environment using virtual environment optimization. This is particularly concerning for systems and services facing the web, as they could potentially be a safe place for adversaries to hide their traffic in the background noise. Accenture has suggested that this could lead to credential harvesting.
Accenture's 2020 Cyber Threatscape Report also highlights an increase in social engineering this year, with cyberespionage and cybercriminal groups targeting vulnerable employees unfamiliar with managing their technology environments.
As tools like Webex have become crucial for company operations with employees working from home, it's essential to ensure these tools are secure. The plug-ins for remote employees do not require updates, but the app within the HVD needs patching.
In light of these findings, it's recommended that users keep their Webex Meetings Desktop App for Windows updated to the latest version and be vigilant against potential threats.
