Search This Blog

Showing posts with label Webex. Show all posts

Cisco Discovers High-Severity Flaws in its Software


The IT and networking giant Cisco has outlined multiple vulnerabilities in its Webex, SD-WAN, and ASR 5000 devices, that could potentially allow an arbitrary code execution by the attackers for the legitimate reason. 

Although Cisco has provided patches for a wide range of vulnerabilities, particularly updates for high-risk issues in the widely used Webex Player, SD-WAN, and ASR 5000 Series. 

A total of three flaws of high severity ( CVSS score of 7.8 ) have been addressed and patched for Windows and macOS in Webex Player, two of those also compromise the operating systems' Webex Network Recording Player. 

The first bug, CVE-2021-1526, is a problem of memory degradation that can be exploited by arbitrary code on a vulnerable computer. Manipulated Webex Recording Format(WRF) files could misuse the vulnerabilities. 

The problem affects the Cisco Webex Player for Windows and macOS launches before the 41.5 version of it but does not influence the Webex Network Recording Player. 

Memory corruption problems that harm both the Webex Network Recording Player and Webex Player are indeed the following two vulnerabilities - the CVE-2021-1502 and the CVE-2021-1503 - on Windows and macOS both. 

Both can be used to arbitrarily execute code on the system concerned. Both of these issues are resolved in version 41.4 of Webex player and Webex Network Recording Player. 

In addition, recently, Cisco issued updates for SD-WAN software CVE-2021-1528 a high risk (CVSS score of 7.8), that might be used to get high privileges on a vulnerable server. This bug affects the SD-WAN versions 20.4 and 20.5 (vBond Orchestrator, vEdge Cloud, and vEdge Routers and vManage, vSmart Controller) but has been addressed with version 20.4.2 and 20.5.1 of SD-WAN. 

Cisco has also issued updates that might be leveraged to bypass permission and execute CLI commands on a damaged computer for several vulnerabilities in the ASR 5000 Series Software (StarOS). CVE 2021-1539 is the most significant of these defects (CVSS score of 8.1). 

Cisco urges consumers to upgrade to each product's patched versions as soon as possible. Furthermore, the corporation emphasizes that it is not known that these vulnerabilities are exploited in attacks. Cisco has also released information on other medium-risk vulnerabilities affecting its portfolio of different products, including Webex Meetings, Webex Player, ThousandEyes Recorder, IP cameras Video Surveillance 7000, and Common Services Platform Collector (CSPC). 

The Company also highlighted that several vulnerabilities detected in the frame aggregation and fragmentation features following 802.11 standards have affected several of its products. An attacker could easily misuse such defects to forge encrypted frameworks and to exfiltrate sensitive device data.

Vulnerability found in Cisco Webex Meeting Suit- Lets unauthorized attackers join private meetings

Cisco Webex Meetings Suite, a platform that offers its customers to organize online meetings and seminars anytime anywhere, has revealed a security vulnerability that allows an unauthorized attacker to enter a password-protected meeting without the password.

The Vulnerability -
The vulnerability allows the attacker to join a meeting if they have the meeting ID or meeting URL from the mobile device browser. Then the browser will launch the meeting on Webex mobile application, and then the unauthenticated user can join the password-protected meeting without the said browser. “The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee,” reads the Cisco blog post.

This makes it quite easy to track the unauthorized individual as they will be visible as a mobile attendee. This Cisco Webex vulnerability has received a score of 7.2 out of 10 (can be tracked as CVE-2020-3142). Cisco Product Security Incident Response Team (PSIRT) said that they have not yet faced an attacker exploiting the vulnerability. Versions with the vulnerability - The vulnerability is seen in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online versions earlier than 39.11.5 and 40.1.3. Though Cisco says that the Webex meeting server is unaffected with the vulnerability.

After discovering the vulnerability, Cisco has now released a new version fixing the vulnerability in versions 39.11.5 and later 40.1.3 for Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites. “The fix applies to Cisco Webex Meetings Suite sites and Cisco Webex Meetings sites only. Customers are not required to update the Cisco Webex Meetings mobile application or the Cisco Webex Meetings desktop application.”

Cisco recently fixed 11 more bugs in Cisco Data Center Network Manager when the faults let hackers RCE, SQL Injection, and Authentication Bypass Attacks. Cisco is expected to fix the bug soon. The users are advised to stay careful of any suspicious activity and report to the company immediately if they found any malicious activity on the platform.