Cisco Webex Bug Allows Remote Code Execution
Cisco patched two high-severity flaws this week, in its Webex and IOS XE Software products.
Cisco Systems has fixed two high-severity vulnerabilities in its products, including one in its popular Webex video conferencing platform that could enable a remote attacker to execute commands.
The high-severity Webex flaw exists in the web-based management interface of Cisco Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing, to enhance audio, video and content.
“A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with root privileges on a targeted node,” according to Cisco’s security advisory, released this week.
While attackers can exploit the flaws remotely, they would need to be authenticated, according to the advisory; meaning they would first need to log into the web-based management interface with administrative privileges and then supply crafted requests to the application. The web-based management Webex interface does not properly validate these crafted requests, enabling attackers to execute arbitrary commands.
The vulnerability affects Cisco Webex Video Mesh Software releases earlier than 2019.09.19.1956m (the fixed version). The flaw, found during internal security testing, has a CVSS score of 7.2 out of 10, making it high-severity. Cisco said that it is not aware of any exploits against the flaw in the wild.
The networking giant on Wednesday also released fixes for another high-severity glitch in the web user interface of Cisco IOS and Cisco IOS XE Software. IOS XE, a Linux-based version of Cisco’s Internetworking Operating System (IOS), is software that powers Cisco routers and switches. Products supported by IOS XE include enterprise switches (including Cisco’s Catalyst series), branch routers and edge routers including ASR 1013.
The vulnerability could enable an unauthenticated, remote attacker to launch a cross-site request forgery (CSRF) attack on affected systems. CSRF attacks, typically launched via emails that use social engineering, trick victims into clicking specially-crafted links that then send a forged request to a server.
The vulnerability stems from “insufficient CSRF protections for the web UI on an affected device,” according to Cisco. An attacker could first exploit the flaw by persuading a user to follow a malicious link.
Then, “a successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user,” according to Cisco’s advisory. “If the user has administrative privileges, the attacker could alter the configuration, execute commands or reload an affected device.”
The flaw, discovered by Mehmet Önder Key, affects Cisco devices that are running vulnerable releases of Cisco IOS or Cisco IOS XE Software earlier than 16.1.1 with the HTTP Server feature enabled. Cisco said that it is not aware of any exploits in the wild against the flaw, which ranks 8.8 out of 10 on the CVSS scale.
Cisco overall on Wednesday issued 14 patches for flaws across its products, including 12 medium-severity flaws and two high-severity flaws. Last week, the company issued patches for three critical vulnerabilities impacting a key tool for managing its network platform and switches. Those bugs could allow an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on targeted devices, the company said.