• About
  • Advertise
  • Careers
  • Contact
Monday, March 20, 2023
No Result
View All Result
NEWSLETTER
Cyber360 News
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
No Result
View All Result
Cyber360 News
No Result
View All Result
Home Security

Cisco addresses high severity RCE flaws in Webex Player

by Cyber360 News
March 5, 2020
in Security
0
Cisco addresses high severity RCE flaws in Webex Player
0
SHARES
2
VIEWS
Share on FacebookShare on Twitter

Cisco has released security updates to fix multiple vulnerabilities in various products, including two remote code execution flaws in Webex Player. 

The two remote code execution vulnerabilities fixed by Cisco have been tracked CVE-2020-3127 and CVE-2020-3128 respectively. The vulnerabilities have been rated as high severity and received a CVSS score of 7.8.

The vulnerabilities are caused by the insufficient validation of elements within a Webex recording stored as ARF (Advanced Recording Format) or WRF (Webex Recording Format).

A remote attacker could exploit the vulnerabilities by sending malicious ARF/WRF files and tricking the victim into opening them. The flaw could trigger the execution of arbitrary code with the privileges of the current user.

“The vulnerabilities are due to insufficient validation of certain elements within a Webex recording that is stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user.”

The flaws affect Webex Meetings (Webex Network Recording Player and Webex Player versions prior to WBS 39.5.17 or WBS 39.11.0), Webex Meetings Online (Webex Network Recording Player and Webex Player releases earlier than 1.3.49), and Webex Meetings Server (Webex Network Recording Player releases earlier than 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2). 

Cisco confirmed that it is not aware of attacks in the wild exploiting the flaws. 

The tech giant also released security updated for another two high severity vulnerabilities, a Cisco Intelligent Proximity SSL Certificate Validation flaw (CVE-2020-3155) and a Cross-Site Request Forgery Vulnerability in Cisco Prime Network Registrar (CVE-2020-3148).

The CVE-2020-3155 flaw could be remotely exploited to view or alter information shared on Webex video devices and Cisco collaboration endpoints. 

The flaw is caused by the lack of validation of the SSL server certificate received when connecting to a Webex video device or a Cisco collaboration endpoint. In this scenario, an attacker could carry out a man in the middle (MITM).

The CVE-2020-3148 flaw impacts the web-based interface of Prime Network Registrar (CPNR) and could be exploited by a remote, unauthenticated attacker to launch a cross-site request forgery (CSRF) attack.

Cisco also fixed nine medium severity flaws that could lead to information disclosure, command execution, denial of service, cross-site scripting (XSS), or resource exhaustion. 

The flaws impact Webex Meetings Client for MacOS, TelePresence Management Suite, Remote PHY Device Software, Prime Collaboration Provisioning, Identity Services Engine (ISE), IOS XR Software, AsyncOS Software for Email Security Appliances (ESAs), and ESA, Web Security Appliance (WSA), and Content Security Management Appliance (SMA).

The full list of addressed issued is available here.

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco WebEx client)



Share On


Cyber360 News

Cyber360 News

Next Post
This report does not highlight threats against iPhones.

This report does not highlight threats against iPhones.

Recent Posts

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

October 6, 2021
Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

October 1, 2021
Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

October 1, 2021

Whats New in Kali Linux?

September 14, 2021

Kali Linux 2019.3 Release (CloudFlare, Kali-status, metapackages, Helper-Scripts & LXD)

September 14, 2021

Kali Linux 2021.3 Release (OpenSSL, Kali-Tools, Kali Live VM Support, Kali NetHunter Smartwatch)

September 14, 2021

Kali Linux 2018.4 Release

September 14, 2021

Kali Linux 1.0.5 and Software Defined Radio

September 14, 2021

Kali Tools Website Launched, 1.0.9 Release

September 14, 2021

Kali Linux Dojo at Black Hat Vegas 2016

September 14, 2021

Category

Site Links

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

About Us

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

© 2019 Cyber360 News - Powered by WebSensePro

No Result
View All Result
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us

© 2019 Cyber360 News - Powered by WebSensePro

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In