Cisco Webex Meetings Desktop App on Windows Update Service os command injection

Summaryinfo

A vulnerability classified as critical has been found in Cisco Webex Meetings Desktop App and Webex Productivity Tools on Windows. Affected by this vulnerability is an unknown functionality of the component Update Service. This manipulation causes os command injection. This vulnerability appears as CVE-2019-1674. The attack requires local access. In addition, an exploit is available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in Cisco Webex Meetings Desktop App and Webex Productivity Tools on Windows (Unified Communication Software) (version now known). It has been declared as critical. Affected by this vulnerability is some unknown processing of the component Update Service. The manipulation with an unknown input leads to a os command injection vulnerability. The CWE definition for the vulnerability is CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. This vulnerability is fixed in Cisco Webex Meetings Desktop App Release 33.6.6 and 33.9.1 releases. This vulnerability is fixed in Cisco Webex Productivity Tools Release 33.0.7.

The bug was discovered 02/27/2019. The weakness was presented 02/28/2019 as cisco-sa-20190227-wmda-cmdinj as confirmed advisory (Website). It is possible to read the advisory at tools.cisco.com. This vulnerability is known as CVE-2019-1674 since 12/06/2018. Attacking locally is a requirement. Required for exploitation is a single authentication. Technical details are unknown but a public exploit is available. The attack technique deployed by this issue is T1202 according to MITRE ATT&CK.

It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $0-$5k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 371672 (Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability(cisco-sa-20190227-wmda-cmdinj)).

Upgrading eliminates this vulnerability.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Unified Communication Software

Vendor

• Cisco

Name

• Webex Meetings Desktop App
• Webex Productivity Tools

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion