{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2020-012.pdf" }, "title": "Cisco Webex Players Vulnerabilities", "serial_number": "2020-012", "publish_date": "06-03-2020 15:07:00", "description": "High serverity vulnerabilities were patched in Cisco Webex video conferencing platform. In particular they affect Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. If exploited, these could allow an attacker to execute code on the affected systems.
The vulnerabilities are tracked as CVE-2020-3127 and CVE-2020-3128 and are both 7.8 out of 10.0 on the CVSS scale.", "url_title": "2020-012", "content_markdown": "---\ntitle: 'Cisco Webex Players Vulnerabilities'\nversion: '1.0'\nnumber: '2020-012'\ndate: 'March 06, 2020'\n---\n\n_History:_\n\n* _06/03/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nHigh serverity vulnerabilities were patched in Cisco Webex video conferencing platform. In particular they affect Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. If exploited, these could allow an attacker to execute code on the affected systems [1].\nThe vulnerabilities are tracked as CVE-2020-3127 and CVE-2020-3128 and are both 7.8 out of 10.0 on the CVSS scale [2, 3].\n\n# Technical Details\n\nThe vulnerabilities are due to insufficient validation of certain elements within a Webex recording that is stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user.\n\n# Products Affected\n\nThese vulnerabilities affect the following releases of Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows, which are available from Cisco Webex Meetings sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings Server [1]:\n\n* Cisco Webex Meetings \u2014 all Webex Network Recording Player and Webex Player releases earlier than WBS 39.5.17 or WBS 39.11.0\n* Cisco Webex Meetings Online \u2014 all Webex Network Recording Player and Webex Player releases earlier than 1.3.49\n* Cisco Webex Meetings Server \u2014 all Webex Network Recording Player releases earlier than 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2\n\nTo determine which release of Cisco Webex Network Recording Player or Cisco Webex Player is installed on a system, open the player and choose _Help_ -> _About_.\n\n# Recommendations\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Users of above mentioned software are advised to upgrade to an appropriate fixed software release as indicated in the Cisco Advisory [1].\n\n# References\n\n[1] \n\n[2] \n\n[3] \n", "content_html": "

History:

  • 06/03/2020 --- v1.0 -- Initial publication

Summary

High serverity vulnerabilities were patched in Cisco Webex video conferencing platform. In particular they affect Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. If exploited, these could allow an attacker to execute code on the affected systems [1]. The vulnerabilities are tracked as CVE-2020-3127 and CVE-2020-3128 and are both 7.8 out of 10.0 on the CVSS scale [2, 3].

Technical Details

The vulnerabilities are due to insufficient validation of certain elements within a Webex recording that is stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user.

Products Affected

These vulnerabilities affect the following releases of Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows, which are available from Cisco Webex Meetings sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings Server [1]:

  • Cisco Webex Meetings \u2014 all Webex Network Recording Player and Webex Player releases earlier than WBS 39.5.17 or WBS 39.11.0
  • Cisco Webex Meetings Online \u2014 all Webex Network Recording Player and Webex Player releases earlier than 1.3.49
  • Cisco Webex Meetings Server \u2014 all Webex Network Recording Player releases earlier than 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2

To determine which release of Cisco Webex Network Recording Player or Cisco Webex Player is installed on a system, open the player and choose Help -> About.

Recommendations

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Users of above mentioned software are advised to upgrade to an appropriate fixed software release as indicated in the Cisco Advisory [1].

References

[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200304-webex-player

[2] https://nvd.nist.gov/vuln/detail/CVE-2020-3127

[3] https://nvd.nist.gov/vuln/detail/CVE-2020-3128

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }