Cisco Patches WebEx Hole

Monday, September 19, 2016 @ 03:09 PM gHale


Cisco patched a critical WebEx vulnerability as one of nine fixed last week.

The remote code execution flaw (CVE-2016-1482) could allow attackers to execute arbitrary commands on WebEx servers.

RELATED STORIES
Cisco Plugs Product Holes
Cisco Fixes Zero Day, Other Vulnerabilities
Cisco Fixes Critical Flaws in Routers
Cisco Mitigates Vulnerabilities

The only move is for administrators to apply the patch because they do not have an option to deploy work-around mitigations.

“A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system,” Cisco said in an advisory.

“The vulnerability is due to insufficient sanitization of user-supplied data processed by the affected software. An attacker could exploit this vulnerability by injecting arbitrary commands into existing application scripts running on a targeted device located in a DMZ [and] could allow an attacker to execute arbitrary commands on the device with elevated privileges.”

Denial of service attacks affect Cisco’s Web Security Appliance, WebEx server, IOS XE software, and carrier routing system.

That WebEx server flaw (CVE-2016-1483) comes in as a high severity issue and occurs thanks to improper validation of user accounts by specific services.

“An unauthenticated, remote attacker could exploit this vulnerability by repeatedly attempting to access a specific service, causing the system to perform computationally intensive tasks and resulting in a denial of service attack condition.”