Cisco released security updates today to address two high-risk vulnerabilities found in the Cisco Webex Meetings Desktop for Windows and macOS that could allow hackers to run programs and code on vulnerable devices.
Cisco Webex Meetings is an online conference and conference call software that facilitates scheduling and meeting attendance. The platform also provides presentation, screen sharing and recording capabilities.
The two vulnerabilities are referred to as CVE-2020-3263 and CVE-2020-3342 and affect previous versions of Cisco Webex Meetings Desktop App 39.5.12 and previous versions of Cisco Webex Meetings Desktop App 39.5.11 for Poppy.
Run remote programs on Windows systems
The arbitrary security flaw of a program running a program that affects the Windows client is caused by the inappropriate validation of the URLs provided to Cisco Webex Meetings Desktop Apps.
CVE-2020-3263 could allow remote intruders without authentication to run programs on systems running an unreleased version of application Cisco Webex Meetings Desktop. An intruder can exploit this vulnerability by deceiving the target to click on a malicious URL.
"A successful exploitation could allow the attacker to trigger the execution of others in the application programs that already exist in the system ", says Cisco.
"If there are malicious files on the system, the attacker could execute arbitrary code on the affected system."
Run the arbitrary code remotely on Mac
The vulnerability of executing a remote code found in the macOS client is due to improper validation of certificates in software update files downloaded from the affected versions of Cisco Webex Meetings Desktop App for Mac.
CVE-2020-3342 could allow unauthorized intruders to remotely execute arbitrary code with the privileges of the user connected to the Mac running non-updated versions of the Cisco Webex Meetings Desktop app.
"An attacker could exploit this vulnerability by persuading a user to go to a site that" displays "files to the client that are similar to files" displayed "on a valid Webex website," Cisco explains.
"The client may fail to properly validate the cryptographic protection methods of the files provided before performing them as part of an update."
Although there are no known solutions to these two vulnerabilities, Cisco has released free software updates to fix the flaws.
The Cisco Product Security Incident Response Team (PSIRT) has not yet identified any malicious use of these vulnerabilities.
Cisco corrected CVE-2020-3263 in the Cisco Webex Meetings Desktop App 40.1.0 version and later.
CVE-2020-3342 was fixed in versions 39.5.11 of the Cisco Webex Meetings Desktop App for Mac - and later.
Windows and macOS users can update the Cisco Webex Meetings Desktop App using the instructions in article of the Cisco Webex Meetings Desktop App Help Center.
Managers can update both applications for the entire user base, following the detailed instructions available here. guide from Webex.