Companies should check they are running latest version of WebEx, and beware attacks via the road less travelled.
A critical vulnerability has been found in Cisco’s WebEx conferencing software – widely used by businesses – that could be exploited by an attacker to spread malware directly to other meeting participants, tricking them into executing it on their computers.
Specifically, as described in a security advisory that Cisco published last week, the vulnerability (CVE-2018-0112) allows a boobytrapped Flash file (.SWF) to be uploaded to WebEx conference meeting attendees due to insufficient input validation by the Cisco WebEx’s client software.
The flaw was found by security analyst Alexandros Zacharis, who has previously uncovered flaws that could allow attackers to turn Skype’s internal browser into a listening device.
Zacharis, who works as an analyst the European Union Agency for Network and Information Security (ENISA), reported the problem directly to Cisco, which has confirmed that the vulnerability is present on the following versions of Cisco WebEx Business Suite (WBS30, WBS31, and WBS32), Cisco WebEx Meetings, and Cisco WebEx Meetings Server:
- Cisco WebEx Business Suite (WBS31) client builds prior to T31.23.2
- Cisco WebEx Business Suite (WBS32) client builds prior to T32.10
- Cisco WebEx Meetings with client builds prior to T32.10
- Cisco WebEx Meetings Server builds prior to 2.8 MR2
Cisco rated the CVE-2018-0112 vulnerability as “critical”, and it has been given given a CVSS score of 9.0.
The good news is that no evidence has been uncovered showing that the flaw has been exploited in in-the-wild attacks, and that Cisco has released updates to its software which address the vulnerability. If your company has updated to the most current client build of WebEx, you will simply no longer be able to share Flash (.SWF) files using the software’s file-sharing features.
It’s a brutal solution, but an effective and understandable one. After all, how often would the typical user legitimately need to share an .SWF file in a WebEx online meeting? And it’s not as though we can realistically expect WebEx to determine whether a particular Flash file can be considered safe to share or not.
So – problem found, problem fixed. That’s the end of the story, right?
Well, not quite.
You see although hopefully many businesses will have received and rolled-out the automatic updates for WebEx from Cisco, others will not. Some firms may be either wary of pushing out software updates to their computers, or not receiving updates to WebEx because their software licences have expired.
It’s easy to imagine how a flaw such as this could be exploited against a business which is not, for whatever reason, updating its WebEx clients. Someone interested in targeting a particular organisation, for instance, could attempt to take advantage of the flaw to introduce malware into their intended victims’ network by introducing it into a WebEx meeting rather than use a more conventional route such as email attachment.
Workers should be just as cautious of opening files that shared with them by the road less travelled as more conventional routes.
The sheer prevalence of malware spread via email attachments or malicious links has understandably made us more cautious of clicking on them, but when a file is shared via an online meeting with someone who appears to be a trusted colleague, it’s all too easy to imagine that many staff members would let their guard down.
written by Graham Cluley, ESET We Live Security