[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Cisco Security Advisory: Multiple Cisco WebEx Player Vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Cisco Security Advisory: Multiple Cisco WebEx Player Vulnerabilities

Advisory ID: cisco-sa-20110201-webex

Revision 1.0

For Public Release 2011 February 1 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) and Advanced Recording Format (ARF) Players.
In some cases, exploitation of the vulnerabilities could allow a
remote attacker to execute arbitrary code on the system of a targeted
user.

The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com

If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com 

Cisco has released free software updates that address these
vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml.

Affected Products
=================

Vulnerable Products
+------------------

The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.

To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.

Cisco recommends that users upgrade to the most current version of
the player that is available from www.webex.com/downloadplayer.html


Products Confirmed Not Vulnerable
+--------------------------------

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The
players are applications that are used to play back and edit
recording files (files with .wrf and .arf extensions). The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).

Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.

To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page. The vulnerability cannot be triggered
by users who are attending a WebEx meeting.

These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:

  * CVE-2010-3269
  * CVE-2010-3041
  * CVE-2010-3042
  * CVE-2010-3043
  * CVE-2010-3044

Vulnerability Scoring Details

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html


Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss 

* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities

CVSS Base Score - 9.3
    Access Vector -            Network
    Access Complexity -        Medium
    Authentication -           None
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 7.7
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed


Impact
======

Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.

Software Versions and Fixes
===========================

When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.

These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3. For customers who are running T27LC SP22, the client build will
be represented as 27.22SP.0.9253. The fix for customers who are
running T27LB SP21 will be deployed by WebEx over the next few weeks.
The client build will be determined after the software is deployed.

The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.

If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.

If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html

Workarounds
===========

There are no workarounds for the vulnerabilities disclosed in this
advisory.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at 
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml 

Do not contact psirt@xxxxxxxxx or security-alert@xxxxxxxxx for
software upgrades.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

These vulnerabilities were either found during internal testing or
reported to Cisco by a variety of sources, including Core Security,
TippingPoint, and Fortinet's FortiGuard Labs.

Cisco would like to thank these organizations for reporting these
vulnerabilities.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@xxxxxxxxx
  * first-bulletins@xxxxxxxxxxxxxxx
  * bugtraq@xxxxxxxxxxxxxxxxx
  * vulnwatch@xxxxxxxxxxxxx
  * cisco@xxxxxxxxxxxxxxxxx
  * cisco-nsp@xxxxxxxxxxxxxxx
  * full-disclosure@xxxxxxxxxxxxxxxxx
  * comp.dcom.sys.cisco@xxxxxxxxxxxxxxxxxx

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================

+---------------------------------------+
| Revision |             | Initial      |
| 1.0      | 2011-Feb-01 | public       |
|          |             | release.     |
+---------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
 
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at 
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E
M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS
=Ur/Y
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/