Home & Office

Windows 10: Using Cisco's Webex Meetings for remote work? Patch now, warns Cisco

Cisco has fixes for high-severity security flaws in Cisco Webex Meetings for Windows and its recording playback apps.
Written by Liam Tung, Contributing Writer

Cisco has found a security bug that impacts remote workers using its Webex Meetings Virtual Desktop App for Windows. 

With the company's Webex Meetings one of the main enterprise options for online video meetings with teammates, the product is probably getting even higher use due to remote working as the COVID-19 pandemic rolls on across the world. 

Cisco has warned that the bug in Webex Meetings Desktop App for Windows is a high-severity security flaw. 

SEE: Network security policy (TechRepublic Premium)

However, it can only be exploited when Webex Meetings Desktop App is in a virtual desktop environment on a hosted virtual desktop (HVD) and configured to use the Cisco Webex Meetings virtual desktop plug-in for thin clients. 

The plug-in is designed to support HVD users, such as remote workers who are connecting to a corporate network from a personal computer.

The flaw may allow an attacker to execute arbitrary code on a targeted system with the targeted user's privileges. 

"A successful exploit could allow the attacker to modify the underlying operating system configuration, which could allow the attacker to execute arbitrary code with the privileges of a targeted user," Cisco explains in an advisory

One mitigating factor is that the vulnerability can only be exploited by a local attacker with limited privileges who had sent a malicious message to the affected software by using the virtualization channel interface. 

Nonetheless, Cisco has given the bug, tracked as CVE-2020-3588, a severity rating of 7.3 out of a possible 10. 

The bug has been fixed in the Webex Meetings Desktop App for Windows releases 40.6.9 and later and 40.8.9 and later. The issue was due to the desktop app improperly validating messages.

Cisco also notes that customers must update the affected app in the HVD in the virtual desktop environment. However, the plug-in does not need to be updated. 

Fortunately, Cisco's Product Security Incident Response Team (PSIRT) has not observed any attacks in the wild and Cisco found the bug during internal testing. 

Cisco is also urging customers to update Webex Meetings sites and Webex Meetings Server due to vulnerabilities affecting the Webex Network Recording Player for Windows and Webex Player for Windows. 

There are three bugs that stem from the playback apps not doing enough to validate elements of Webex recordings stored in the Advanced Recording Format (ARF) – a video format for Webex – or the Webex Recording Format (WRF). 

The bugs are tracked as CVE-2020-3573, CVE-2020-3603, and CVE-2020-3604. They have a severity rating of 7.8. 

Attackers can exploit the flaws by sending the target a malicious ARF or WRF file through a link or email attachment, and then tricking the target into opening the file with the two Webex players. 

Webex Network Recording Player is used to play back ARF files, while Webex Player is used to play back WRF files. 

The playback applications are available from Cisco Webex Meetings and Cisco Webex Meetings Server. 

SEE: These software bugs are years old. But businesses still aren't patching them

The Webex Network Recording Player is available from Cisco Webex Meetings sites and Cisco Webex Meetings Server. The Cisco Webex Player is available from Cisco Webex Meetings sites but not from the Cisco Webex Meetings Server.

While Cisco's PSIRT has not observed any malicious activity using these flaws, they were found by security researcher Francis Provencher (PRL) who reported the issue to Cisco via Trend Micro's Zero Day Initiative. 

Cisco notes there are no workarounds for this bug and has listed in its advisory the releases of Webex Meetings sites and Webex Meetings Server that need to be updated.  

More on Cisco and networking security

  • Cisco security warning: Patch Webex Teams for Windows and surveillance camera now  
  • Update now: Cisco warns over 25 high-impact flaws in its IOS and IOS XE software  
  • Patch now: Cisco warns Jabber IM client for Windows has a critical flaw  
  • Cisco bug warning: Critical static password flaw in network appliances needs patching  
  • Cisco alert: Four high-severity flaws in routers, switches and AnyConnect VPN for Windows  
  • Patch now: Cisco warns of nasty bug in its data center software  
  • Cisco's warning: Critical flaw in IOS routers allows 'complete system compromise'  
  • Cisco warns: These Nexus switches have been hit by a serious security flaw  
  • Cisco: Critical Java flaw strikes 'call center in a box', patch urgently  
  • Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching  
  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET
  • Editorial standards