{"id":36781,"date":"2018-10-25T13:15:02","date_gmt":"2018-10-25T13:15:02","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=e739b1da3286f3daedd45d1bd1bbd48b"},"modified":"2018-10-25T13:15:02","modified_gmt":"2018-10-25T13:15:02","slug":"remote-code-execution-flaw-found-in-cisco-webex-2","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/remote-code-execution-flaw-found-in-cisco-webex-2\/","title":{"rendered":"Remote code execution flaw found in Cisco WebEx"},"content":{"rendered":"<p><span class=\"field field-name-field-author field-type-node-reference field-label-hidden\"><br \/>\n      <span class=\"field-item even\"><a href=\"https:\/\/www.cloudpro.co.uk\/authors\/rene-millman\">Rene Millman<\/a><\/span><br \/>\n  <\/span><\/p>\n<div class=\"field field-name-field-published-date field-type-datetime field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\"><span class=\"date-display-single\">25 Oct, 2018<\/span><\/div>\n<\/p><\/div>\n<\/div>\n<p class=\"short-teaser\">\n<a href=\"https:\/\/www.cloudpro.co.uk\/\" title=\"\" class=\"combined-link\"><\/a><\/p>\n<div class=\"field field-name-body\">\n<p> Security researchers have discovered a flaw in WebEx&#8217;s WebexUpdateService that allows anyone with a login to the Windows system where Cisco&#8217;s client software is installed to run system-level code remotely.<\/p>\n<p>The vulnerability is \u201cpretty unique\u201d as it is \u201ca remote vulnerability in a client application that doesn&#8217;t even listen on a port\u201d, according to a\u00a0<a href=\"https:\/\/blog.skullsecurity.org\/2018\/technical-rundown-of-webexec\">blog post<\/a>\u00a0by Ron Bowes and Jeff McJunkin of Counter Hack.<\/p>\n<p>When the WebEx client is installed on a system, a Windows service called WebExService\u00a0is also installed that can execute commands with system-level privilege.<\/p>\n<p>According to a <a href=\"https:\/\/webexec.org\/\">website<\/a> detailing the hack, due to poorly handled access control lists (ACLs), any local or domain user can start this service over Windows&#8217; remote service interface, except those running the client on Windows 10 (which requires an admin login).<\/p>\n<p>\u201cAs far as we know, a remote attack against a 3rd party Windows service is a novel type of attack. We&#8217;re calling the class &#8220;thank you for your service&#8221;, because we can, and are crossing our fingers that more are out there!\u201d Bowes said.<\/p>\n<p>Bowes said that exploiting the vulnerability is \u201cactually easier than checking for it\u201d.<\/p>\n<p>\u201cThe patched version of WebEx still allows remote users to connect to the process and start it,&#8221; he explained. &#8220;However, if the process detects that it&#8217;s being asked to run an executable that is not signed by Webex, the execution will halt.\u201d<\/p>\n<p>In an <a href=\"https:\/\/tools.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-20181024-webex-injection\">advisory<\/a>, Cisco said the vulnerability is due to insufficient validation of user-supplied parameters. \u201cAn attacker could exploit this vulnerability by invoking the update service command with a crafted argument,\u201d said the advisory.<\/p>\n<p>Bowes said that WebEx released a patch on 3 October and that users should make sure they&#8217;re running this new client version.<\/p>\n<p>\u201cThe good news is, the patched version of this service will only run files that are signed by WebEx. The bad news is, there are a lot of those out there (including the vulnerable version of the service!), and the service can still be started remotely,\u201d he said.<\/p>\n<p>The Cisco advisory said that users could determine whether a vulnerable version of Cisco Webex Meetings Desktop App is installed on a Windows machine by launching the Cisco Webex Meetings application and clicking the gear icon in the top right of the application window, then selecting the About&#8230; menu entry. A popup window displaying the currently installed version will open. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>      Rene Millman<\/p>\n<p>        25 Oct, 2018    <\/p>\n<p>       Security researchers have discovered a flaw in WebEx&#8217;s WebexUpdateService that allows anyone with a login to the Windows system where Cisco&#8217;s client software is installed to run system-level co&#8230;<\/p>\n","protected":false},"author":417,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-36781","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/36781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/417"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=36781"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/36781\/revisions"}],"predecessor-version":[{"id":36782,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/36781\/revisions\/36782"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=36781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=36781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=36781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}