Cisco has released several patches for users of WebEx clients and its Access Control System, all of which are mandatory if users want to keep using the products safely. The release comes two weeks after the networking giant issued critical patches for an array of WebEx installments.
Advisory CVE-2018-0264 says the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files suffers from a vulnerability that, if exploited, “could allow an unauthenticated, remote attacker to execute arbitrary code on the system of a targeted user.”
Various organizations use the players to play back WebEx meeting recordings. If your installation comes as part of Cisco WebEx Business Suite, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and the Cisco WebEx ARF Player, install the patch ASAP, as there are no workarounds for the flaw. To patch, users must perform a simple software update.
CVE-2018-0253 is about a weakness in the ACS Report component of Cisco Secure Access Control System (ACS) that could allow a remote attacker to take hold of the system without having to authenticate as a valid user.
“Commands executed by the attacker are processed at the targeted user’s privilege level,” Cisco says. “The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device.”
Finally, according to CVE-2018-0258, a vulnerability in the Cisco Prime File Upload servlet used by several Cisco products could allow a remote attacker to upload malicious files to a vulnerable device and execute whatever intentions he has. Users must update the servlet to patch the vulnerability.
Quite a number of Cisco products, in fact, do not suffer from this particular flaw. All of those unaffected products are listed in the advisory.