SB2018071907 - Multiple vulnerabilities in Cisco Webex Player and Webex Network Recording Player

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2018-0379)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files due to insufficient input validation. A remote unauthenticated attacker can supply a specially crafted .arf or .wrf file via email or URL, thick the victim into launching it in the Webex recording players and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Improper input validation (CVE-ID: CVE-2018-0380)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files due to insufficient input validation. A remote unauthenticated attacker can supply a specially crafted .arf or .wrf file via email or URL, thick the victim into launching it in the Webex recording players and cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-rce
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-dos