Executive Summary

Summary
Title Cisco WebEx Browser Extension Remote Code Execution Vulnerability
Informations
Name cisco-sa-20170717-webex First vendor Publication 2017-07-17
Vendor Cisco Last vendor Modification 2017-07-17
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.

The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.

Cisco has released software updates for Google Chrome and Mozilla Firefox that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex"]

BEGIN PGP SIGNATURE

iQKBBAEBAgBrBQJZbOCqZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHleBQ/+KqO/ZA3idsNG3GaH 0kBtaZoT7/bnq5t7PWDyEX+mF+CVjDlOu+YUqSWKfE9h7Obfy6Q33vWu7Or3P37n nfhpVdQtuXUXmnKpqOdpWtjPSIn9+O+NCpDfZxG8XKeZGgflghxzIBe6auel5HB8 ckjN19vUi/LXl3oFBWdjRlKWFDj0X04FjXNWOj6aHt8I/pdMdy/miOQ+DHgknO3l TVkYXLlu3r72OXYEUFCIGKs0Sd64s41DL8aPy93aH0+B+hTUBIjnWYLvC6zjFtb3 kZoHn6RIjPcn5QVEIL7DuCKJgAb2c1hMVD5dm+Z0Wtw+3RugyGcaGtx4His8fnAZ KCtUOiYhRhqq10OLfxEVsu6f27pEfk7bn8ekpRei0TivR21YiuFusEfV3QPz1sg1 tPtFf9FH9ODvFnstUfnpk3kavhpE5T4Knv5tkOxddVT/7G3kquyg2p88R+DcH/k7 VuNhGnudxYrZkY3oIlUkDlMykJZ4bnUrN+cCCW4Kj9eOXHynxrLWNsVsLfAi76u6 hf0KDQfajvn2DsAGZ+78fszBUmmSwhquNvGfVjB8xny45NzjxshCPggd7ypXmA ++pzt8R3cZCG1CEYjeEZwR1/QfGe7AhwcSd0Ad9t7zGBTcMctqHdWza0m+oFK5K6ro ROIrm0Soth+6RCiVf3KJ/H4Tm7g= =lr73 END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3
Application 3
Application 1
Application 15
Application 8
Application 1
Application 3
Application 6
Application 1
Application 1
Application 4
Application 3
Application 1
Application 1
Application 2
Application 2
Application 1
Application 1
Application 3
Application 3

Snort® IPS/IDS

Date Description
2017-01-27 Cisco Webex explicit use of web plugin detected
RuleID : 41409-community - Revision : 7 - Type : POLICY-OTHER
2017-02-25 Cisco Webex explicit use of web plugin detected
RuleID : 41409 - Revision : 6 - Type : POLICY-OTHER
2017-02-25 Cisco WebEx extension command execution attempt
RuleID : 41408 - Revision : 3 - Type : BROWSER-OTHER
2017-02-25 Cisco WebEx extension command execution attempt
RuleID : 41407 - Revision : 3 - Type : BROWSER-OTHER

Nessus® Vulnerability Scanner

Date Description
2017-07-19 Name : A browser extension installed on the remote host is affected by a remote code...
File : cisco_webex_extension_1_0_12_chrome.nasl - Type : ACT_GATHER_INFO
2017-07-19 Name : A browser extension installed on the remote host is affected by a remote code...
File : cisco_webex_extension_1_0_12_firefox.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2017-08-01 00:23:08
  • Multiple Updates
2017-07-26 00:23:59
  • Multiple Updates
2017-07-21 13:24:50
  • Multiple Updates
2017-07-17 21:21:55
  • First insertion