tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesA Vulnerability in Cisco WebEx Browser Extensions Could Allow for Arbitrary Code Execution

A Vulnerability in Cisco WebEx Browser Extensions Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2017-064

DATE(S) ISSUED:

07/18/2017

OVERVIEW:

A vulnerability has been discovered in the Cisco WebEx browser extension for Windows versions of Chrome, Firefox, and Internet Explorer, which could allow for arbitrary code execution. It has been confirmed by Cisco that this vulnerability does not affect Cisco WebEx browser extensions for Mac or Linux, or Cisco WebEx browser extensions for Microsoft Edge or Internet Explorer. The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. Successful exploitation of this vulnerability could result in the attacker gaining control of the affected system.

THREAT INTELLIGENCE:

While a proof of concept is available, there are no reports of this vulnerability being actively exploited in the wild.

SYSTEMS AFFECTED:

  • Cisco WebEx Extension for Chrome prior to 1.0.12 for Windows
  • Cisco WebEx Extension for Firefox prior to 1.0.12 for Windows

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

A vulnerability has been discovered in the Cisco WebEx browser extensions, which could allow for arbitrary code execution. The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. Successful exploitation of this vulnerability could result in the attacker gaining control of the affected system.

Currently, the Cisco WebEx Extension for Google Chrome version 1.0.12 contains a fix for this vulnerability. In order for Chrome users to ensure they are using the fixed version of the Cisco WebEx Extension for Google Chrome the following steps will need to be taken:

  • In Chrome, select ‘Customize and control Google Chrome’ icon at the top right of the browser window.
  • Navigate to ‘More tools’.
  • Select ‘Extensions’.
  • Enable ‘Developer mode’.
  • Select ‘Update extensions now’.

Mozilla Firefox users can take the following steps to ensure the Cisco WebEx Add-on is configured to receive automatic updates:

  • In Firefox, open the settings menu by clicking on the ‘Open Menu’ icon.
  • Click ‘Add-ons’
  • Click ‘Extensions’
  • Click on ‘More’ under ‘Cisco WebEx Extension’
  • Enable Automatic Updates

RECOMENDATIONS:

We recommend the following actions be taken:

  • Install the update provided by Cisco immediately after appropriate testing.
  • Users of Microsoft Windows systems can alternatively use Microsoft Edge to join and participate in WebEx session.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 3: Secure Configurations for Hardware and Software CIS Benchmark and Other Tools for Related Technology Arrow Cisco

Information Hub: Advisories



Pencil Benchmark 17 Aug 2017

Pencil Blog post 14 Aug 2017

Pencil Blog post 11 Aug 2017