Important Cisco WebEx Bug Enables Remote Code Execution

A critical vulnerability in the recording function of Cisco Systems’ WebEx conferencing platform has been uncovered, allowing for remote code execution. Attackers can use the flaw by convincing users to open a file purporting to be a recording of a past WebEx event.

The bug (CVE-2018-0264) exists in the platform’s Recording Player for Advanced Recording Format (ARF), which allows users to play back WebEx meeting recordings. The player is installed automatically when a user accesses a recording file hosted on a WebEx server. Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, the Cisco WebEx Meetings Server and the Cisco WebEx ARF Player itself are all affected.

WebEx is widely deployed, and is used for audio and web conferencing along with broadcast applications like webinars and corporate C-suite speeches. Cisco said in an advisory that attackers can take advantage of this large attack surface via social engineering and spam campaigns, with the aim of convincing users to open a malicious ARF file.

Given how many businesses use WebEx, and how many workers attend WebEx meetings and events, it’s easily conceivable that an email using a lure along the lines of “Thanks for attending our webinar. Follow the link to access the event on-demand” could be spectacularly effective.

If clicked, the file opens the door to executing arbitrary code on the user’s system.

There are no workarounds that address the problem, but it’s possible to remove all WebEx software completely from a system by using a specialized tool created by Cisco. The IT giant has also made a patch available for the affected products.

This is just the latest WebEx flaw to burst on the scene. As recently as last week, Cisco patched another RCE vulnerability (CVE-2018-0112), this time due to an insufficient input validation by the WebEx clients. An attacker could exploit the flaw by sending meeting attendees a malicious Flash file through the WebEx client’s file-sharing protocol.

This isn’t the first ARF-related bug in the platform, either: Last November, Cisco issued a critical alert warning of multiple vulnerabilities in its popular WebEx player. Six RCE and system-crash bugs were listed in the security advisory, each of them relating to holes in the ARF player and the WebEx Recording Format (WRF) files.