Privilege escalation in Cisco Webex Meetings Desktop App and Webex Productivity Tools
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-1674 |
| CWE-ID | CWE-78 |
| Exploitation vector | Local |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Cisco Webex Productivity Tools Client/Desktop applications / Other client software Cisco Webex Meetings Desktop App Client/Desktop applications / Other client software |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) OS Command Injection
EUVDB-ID: #VU17883
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-1674
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to execute arbitrary code on the target system with elevated privileges.
The vulnerability exists due to improper input validation when processing parameters passed via CLI. A local user can launch the application with a specially crafted argument and execute arbitrary OS command with SYSTEM privileges.
Install updates from vendor's website.
Vulnerable software versionsCisco Webex Productivity Tools: 33.0.0 - 33.0.6
Cisco Webex Meetings Desktop App: 33.6.0 - 33.6.5
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
