Guest

Preview Tool

Cisco Bug: CSCvi02621 - Cisco Webex Network Recording Players Remote Code Execution Vulnerabilities

Last Modified

Jul 19, 2018

Products (1)

  • Cisco Webex Meetings Online

Known Affected Releases

T31

Description (partial)

Symptom:
Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players. Exploitation of these vulnerabilities could allow arbitrary code execution on the system of a targeted user. There is no risk when a .arf player that is stored on a Webex site is played in the Webex Network Recording Player.

The Cisco Webex players are applications that are used to play back Webex meetings that have been recorded by an online meeting attendee. The Webex Network Recording Player for .arf files can be automatically installed when the user accesses a recording that is hosted on a Webex server. The Webex Player for .wrf files can be downloaded manually.

Cisco has updated affected versions of the ARF and WRF recording players on Cisco Webex Meetings Suite sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings Server. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-rce

Conditions:
These vulnerabilities affect ARF and WRF recording players available from Cisco Webex Meetings Suite sites. The following versions of ARF and WRF recording players are affected:

* Cisco Webex Meetings Suite (WBS31) - Webex Network Recording Player and Webex Player versions prior to WBS31.23
* Cisco Webex Meetings Suite (WBS32) - Webex Network Recording Player and Webex Player versions prior to WBS32.15
* Cisco Webex Meetings Suite (WBS33) - Webex Network Recording Player and Webex Player versions prior to WBS33.2
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.