A Vulnerability in Cisco WebEx Browser Extensions Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-067 - UPDATED
Date(s) Issued: 
Tuesday, July 18, 2017
Date Updated: 
Wednesday, July 19, 2017
Subject: 
A Vulnerability in Cisco WebEx Browser Extensions Could Allow for Arbitrary Code Execution
Overview: 

A vulnerability has been discovered in the Cisco WebEx browser extension for Windows versions of Chrome, Firefox, and Internet Explorer, which could allow for arbitrary code execution. It has been confirmed by Cisco that this vulnerability does not affect Cisco WebEx browser extensions for Mac or Linux, or Cisco WebEx browser extensions for Microsoft Edge or Internet Explorer. The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. Successful exploitation of this vulnerability could result in the attacker gaining control of the affected system.

Systems Affected: 
  • Cisco WebEx Extension for Chrome prior to 1.0.12 for Windows

  • Cisco WebEx Extension for Firefox prior to 1.0.12 for Windows

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

A vulnerability has been discovered in the Cisco WebEx browser extensions, which could allow for arbitrary code execution. The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. Successful exploitation of this vulnerability could result in the attacker gaining control of the affected system.

Currently, the Cisco WebEx Extension for Google Chrome version 1.0.12 contains a fix for this vulnerability. In order for Chrome users to ensure they are using the fixed version of the Cisco WebEx Extension for Google Chrome the following steps will need to be taken:

  • In Chrome, open the Settings page.

  • Click Extensions.

  • Select the Developer mode checkbox.

  • Click Update extensions now.

Mozilla Firefox users can take the following steps to ensure the Cisco WebEx Add-on is configured to receive automatic updates:

  • In Firefox, open the settings menu by clicking on the 'Open Menu' icon.

  • Click 'Add-ons'

  • Click 'Extensions'

  • Click on 'More' under 'Cisco WebEx Extension'

  • Enable Automatic Updates

July 19, 2017 - UPDATED DESCRIPTION:

Instructions for updating extensions in current versions of Google Chrome are the following:

 

  • Enable 'Developer mode'.
  • Select 'Update extensions now'.
  • In Chrome, select 'Customize and control Google Chrome' icon at the top right of the browser window.
  • Navigate to 'More tools'.
  • Select 'Extensions'.
Actions: 
  • After appropriate testing, immediately apply patches provided by Cisco to the vulnerable systems.

  • Users of Microsoft Windows systems can alternatively use Microsoft Edge to join and participate in WebEx session.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.

  • Apply the Principle of Least Privilege to all systems and services.