Security News > 2020 > March > Cisco Patches Remote Code Execution Flaws in Webex Player

Cisco Patches Remote Code Execution Flaws in Webex Player
2020-03-04 21:06

Cisco has released patches to address more than a dozen vulnerabilities across various products, including two code execution bugs in Webex Player that could be exploited remotely.

Tracked as CVE-2020-3127 and CVE-2020-3128 and rated high severity, the issues reside in the insufficient validation of elements within a Webex recording stored as ARF or WRF. To exploit the bugs, an attacker needs to send a malicious ARF or WRF file and trick the victim into opening the file the local system, which could result in arbitrary code being executed with the privileges of the targeted user.

Tracked as CVE-2020-3155, the issue could be exploited remotely to view or alter information shared on Webex video devices and Cisco collaboration endpoints.

The bug exists due to the lack of validation of the SSL server certificate received when connecting to a Webex video device or a Cisco collaboration endpoint.

Cisco products impacted by the bug include Intelligent Proximity application, Jabber, Webex Meetings, Webex Teams, and Meeting App and no software updates are available to address the issue.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/w4zda5gEKfk/cisco-patches-remote-code-execution-flaws-webex-player

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-03-04 CVE-2020-3127 Improper Input Validation vulnerability in Cisco products
Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.
local
low complexity
cisco CWE-20
7.8
7.8
2020-03-04 CVE-2020-3128 Improper Input Validation vulnerability in Cisco products
Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.
local
low complexity
cisco CWE-20
7.8
7.8
2020-03-04 CVE-2020-3155 Improper Certificate Validation vulnerability in Cisco products
A vulnerability in the SSL implementation of the Cisco Intelligent Proximity solution could allow an unauthenticated, remote attacker to view or alter information shared on Cisco Webex video devices and Cisco collaboration endpoints if the products meet the conditions described in the Vulnerable Products section.
network
high complexity
cisco CWE-295
7.4
7.4

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1771 1669 288 3749