Command Injection in Cisco Webex Video Mesh



Published: 2020-01-09
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-16005
CWE ID CWE-77
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Cisco Webex Video Mesh
Server applications / Other server solutions

Vendor Cisco Systems, Inc

Security Advisory

This security advisory describes one medium risk vulnerability.

1) Command Injection

Risk: Medium

CVSSv3: 6.3 [CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-16005

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to improper validation of user-supplied input in the web-based management interface. A remote administrator can send a specially crafted request and execute arbitrary commands on the underlying Linux operating system with root privileges on a targeted node.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco Webex Video Mesh: 2018.10.04.1692m, 2018.10.04.1694m, 2018.10.11.1702m, 2018.11.01.1722m, 2018.11.10.1730m, 2018.11.19.1744m, 2018.11.19.1744m1, 2018.12.11.1753m, 2019.01.14.1764m.1, 2019.01.29.1773m, 2019.02.12.1786m, 2019.03.22.1829m.2, 2019.04.18.1869m.1, 2019.04.29.1873m, 2019.04.29.1873m.4, 2019.05.20.1892m1, 2019.06.13.1907m.1, 2019.06.13.1907m.3, 2019.07.12.1917m, 2019.08.01.1929m, 2019.08.14.1937m, 2019.08.21.1941m.2

CPE External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-webex-video

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.