Cisco patched its Webex Meetings Desktop App for Windows to mitigate vulnerabilities in installations before 33.6.0 because they can be exploited locally by authenticated attackers, allowing for the execution of arbitrary commands as a privileged user.
“The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument,” Cisco said in an advisory. “An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.”
Cisco said in its advisory the security bug in Cisco Webex Meetings (also known as WebExec) requires attackers to have local access to the machines running the vulnerable software.
However, bad guys could exploit the vulnerability remotely on systems where Active Directory is deployed and running using OS built-in remote management tools.
Admins who want to prevent the service from being remotely started by attackers should update your Cisco Webex Meetings Desktop App installation to a 33.6.0 or later release, the version Cisco patched to remove the WebExec vulnerability because, as the researchers who found the issue said, WebExService “will still be vulnerable to local privilege escalation, though, without the patch.”
In addition, Cisco said the company released security updates for all products affected by the WebExec bug and, because there are no workarounds that completely mitigate the CVE-2018-15442 vulnerability, all system administrators are advised to update to patched Windows versions of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools.