A vulnerability was recently found with the Cisco WebEx Browser Extensions that could be used by attackers to execute arbitrary operating system commands on a computer just by browsing to a web page. This was due to the way the extensions handle web pages performing meeting requests known as the “magic URL.” By taking advantage of this an attacker could compromise large numbers of corporate workstations.
Currently a fix has been deployed by Cisco; however, it does not address all aspects of the vulnerability. While simply browsing to any website is no longer enough to trigger the exploit, if an attacker is in control of the network, such as with a man-in-the-middle attack or rogue access point, they would be able to still execute the attack.
Because of this, Cisco WebEx should be uninstalled where it is no longer in use. Where it is required, a VPN should be enforced and untrusted networks should be avoided.
Due to the simplicity of the attack, publicly available exploits have already been released.
Is my organization vulnerable?
Cisco WebEx is installed throughout many workstations across a huge range of organisations, it is also typically installed by users to join meetings without the explicit knowledge of IT departments. Because of this it is very likely there are some workstations with old instances that may still be vulnerable. With around 20 million active users, it is also likely that this has already been included in common exploit packs.
While automatic updates may alleviate some of the risk, remote workers and users that connect to insecure public networks can still be exploited even with the latest version.
SureCloud Platform scanning
SureCloud is expecting to be able to detect this vulnerability within our scanning engine in the upcoming days.
The best defence against this vulnerability is to uninstall Cisco WebEx and the related browser extensions across Firefox, Chrome and Internet Explorer. If Cisco WebEx is absolutely required, ensure it is only used on secure networks or over a VPN if the network is not fully trusted.
- Initial Report: https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
- Official Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex
- Public Exploit: https://www.exploit-db.com/exploits/41148/
Find out more about our Cybersecurity services here.