Cisco Fixes WebEx Vulnerabilities

Tuesday, May 13, 2014 @ 04:05 PM gHale


Cisco released updates to mitigate several vulnerabilities in WebEx Players, the applications used to playback meetings recorded with the company’s WebEx multimedia conferencing solutions.

According to an advisory published by Cisco, researchers at Fortinet, iDefense and Microsoft identified multiple buffer overflow vulnerabilities in the WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players.

RELATED STORIES
Adobe Fixes Flash Zero Day
After False Start, Apache Struts Fixed
DoS Risk with Apache Tomcat Servers
DDoS Attacks Break Records

The flaws can end up exploited to crash players and, in some cases, even for remote code execution on the affected systems .

Cisco has released updates for WebEx Business Suite meeting sites, WebEx 11 meeting sites, WebEx Meetings Server , and WebEx WRF and ARF Players to address the issues.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140507-webex

The vulnerabilities are the following:
• CVE-2014-2132 – an out-of-bound read vulnerability in the WebEx WRF and ARF players
• CVE-2014-2133 – LZW decompress memory corruption vulnerability in WebEx ARF Player
• CVE-2014-2134 – file audio channel parsing heap overflow vulnerability in WebEx WRF Player
• CVE-2014-2135 – memory corruption vulnerability in WebEx ARF Player
• CVE-2014-2136 – memory corruption vulnerability in WebEx ARF Player

“To exploit one of these vulnerabilities, the player applications would need to open a malicious ARF or WRF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using email), or by directing a user to a malicious web page. The vulnerabilities cannot end up triggered by users who are attending a WebEx meeting,” Cisco said in its advisory.



Leave a Reply

You must be logged in to post a comment.