Networking behemoth Cisco has issued critical patches found in two of its widely used software products as prone to remote hacking. Users of WebEx and Unified Computing System (UCS) Director are urged to patch their software as soon as possible.
Advisory CVE-2018-0112 states that Cisco WebEx Business Suite clients, Cisco WebEx Meetings, and Cisco WebEx Meetings Server suffer from a vulnerability that “could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.”
The vulnerability, reported to Cisco by Alexandros Zacharis of the European Union Agency for Network and Information Security (ENISA), stems from insufficient input validation by the Cisco WebEx clients. However, part of the problem is also Adobe’s Flash, and how an attacker could exploit the flaw by sliding in a malicious .swf file via the conferencing platform’s file-sharing feature, then use the malware to gain remote access to the targeted endpoints.
“Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability,” the company bluntly states.
Users of WebEx Business Suite (Client / Server) need to update to versions T32.10 and T31.23.2, respectively, while users of WebEx Meetings (Client/Server) are offered versions T32.10 and 2.8 MR2, respectively. Installing these updates is the only way to mitigate the risk of an attack.
Cisco also patched a vulnerability in its Unified Computing System (UCS) Director platform, a data center tool combining hardware, virtualization support, switching fabric, and management software.
The flaw, as described in a separate advisory, “could allow an authenticated, remote attacker to view unauthorized information for any virtual machine in the UCS Director end-user portal and perform any permitted operations on any virtual machine.”
The hacker only needs a valid user name and password to gain full access to the system, remotely, because all access levels are enabled by default on end-user accounts. The vulnerability affects default configurations of UCS Director 6.0 and 6.5 prior to Patch 3. In other words, install Cisco UCS Director 18.104.22.168 (or Patch 3) to stay out of harm’s way.