Cisco Webex Meetings Desktop App for Windows installations before 33.6.0 can be exploited locally by authenticated attackers, allowing for the execution of arbitrary commands as a privileged user, according to a Cisco security advisory.
"The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument," says Cisco's advisory. "An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges."
Furthermore, as explained by Cisco, although the security Cisco Webex Meetings bug (also known as WebExec) requires attackers to have local access to the machines running the vulnerable software.
However, potential adversaries could exploit the vulnerability remotely on systems where Active Directory is deployed and running using OS built-in remote management tools.
"When the WebEx client is installed, it also installs a Windows service called WebExService that can execute arbitrary commands at SYSTEM-level privilege," according to Ron Bowes and Jeff McJunkin of Counter Hack, the security researchers who discovered the vulnerability.
Cisco released updates for all affected apps affected by the CVE-2018-15442 vulnerability
"Due to poor ACLs, any local or domain user can start the process over Window's remote service interface (except on Windows 10, which requires an administrator login)."
Admins who want to prevent the service from being remotely started by attackers can use the following command to disable this service functionality completely:
c:\>sc sdset webexservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPLORC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
You should still update your Cisco Webex Meetings Desktop App installation to a 33.6.0 or later release, the version Cisco patched to remove the WebExec vulnerability because, as the bug's discoverers say, WebExService "will still be vulnerable to local privilege escalation, though, without the patch."
Moreover, as detailed in Cisco's advisory, the company has released security updates for all products affected by the WebExec bug and, because there are no workarounds that completely mitigate the CVE-2018-15442 vulnerability, all system administrators are advised to update to patched Windows versions of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools.