Cisco Releases Critical Patch to Address RCE Vulnerability in WebEx Software
iSpeech
Cisco recently released a critical patch to fix a serious vulnerability in its WebEx software (CVE-2018-0112) that could be exploited by a remote attacker to execute on a target machine via a weaponized Flash file. Current client and server versions of WebEx Business Suite or WebEx Meetings are affected by this vulnerability and Cisco urges its users to update their software to resolve issues.
The vulnerability is due to insufficient input validation on the Cisco WebEx client. An attacker could exploit this vulnerability by providing the client with a malicious Flash (.swf) file through the client’s file sharing feature. The vulnerability has currently achieved a CVSS score of 9.0, and Cisco rated it as “critical.”
Cisco has released a software update to fix this vulnerability and confirmed that there are no attacks that exploit this vulnerability. In addition, Cisco added that currently there is no workaround for this issue, so users are advised to update the WebEx Business Suite software to T32.10 and T31.23.2, the WebEx Meetings client software to T32.10, and the Meetings Server to 2.8 MR2.
Source: Security Affairs
Gloss