Cisco has released a security update for Webex Meetings which resolves an exploitable vulnerability leading to privilege escalation.
The security flaw, CVE-2018-15442, exists in the Cisco Webex Meetings Desktop App for Windows and "could allow an authenticated, local attacker to execute arbitrary commands as a privileged user."
A failure to sufficiently validate user-supplied parameters in the app has caused the problem, which can be exploited by a threat actor who invokes the update service command with a crafted argument.
This could force the system to run arbitrary commands with system user privileges.
According to Cisco's security advisory, all Cisco Webex Meetings Desktop App releases prior to 33.6.0, and Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.5 on the Microsoft Windows operating system are affected.
There are no workarounds and so to protect systems against this vulnerability, deemed "important," admins should apply Cisco's fix or allow automatic updates to take place.
The Webex Meetings alert was issued at the same time as an advisory for a critical vulnerability, a recently-disclosed libssh bug, which impacts vendors which use the library.
It is known that vendors including F5 and Red hat have also been affected by the vulnerability, which is considered "trivial" to exploit. Now, Cisco has confirmed the security flaw also impacts its products.
Earlier this month, Cisco resolved two severe vulnerabilities in the tech giant's Digital Network Architecture (DNA) Center software. If exploited, the flaws could permit remote attackers to take control of identity management functions, as well as access core management functions.