CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X
-
A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.
The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.
Cisco has released software updates for Google Chrome and Mozilla Firefox that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex
-
Vulnerable Products
This vulnerability affects Cisco WebEx extensions for Windows when running on most supported browsers. The affected browsers are Google Chrome and Mozilla Firefox.
The following versions of the Cisco WebEx browser extensions are affected by the vulnerability described in this document:- Versions prior to 1.0.12 of the Cisco WebEx extension on Google Chrome
- Versions prior to 1.0.12 of the Cisco WebEx extension on Mozilla Firefox
Google Chrome
Chrome users can determine the version of the Cisco WebEx extension for Google Chrome by doing the following:- In Chrome, click the menu button (three dots at the upper right of the application) and choose More Tools > Extensions
The Cisco WebEx extension for Google Chrome identification string, which organizations can use to identify hosts that contain the extension, is the following:jlhmfgmfgeifomenelglieieghnjghma
Mozilla Firefox
Firefox users can determine the version of the Cisco WebEx extension for Mozilla Firefox by doing the following:- In Firefox, click the menu button (three horizontal bars at the upper right of the application) and choose Add-ons
- Click the Extensions tab
- Locate Cisco WebEx Extension in the list of extensions and click the More link to obtain the version information
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following products:
- Cisco WebEx Productivity Tools
- Cisco WebEx browser extensions for Mac or Linux
- Cisco WebEx on Microsoft Edge or Internet Explorer
-
There are no workarounds that address this vulnerability. However, Windows users may use Internet Explorer and administrators and users of Windows 10 systems may use Microsoft Edge to join and participate in WebEx sessions because Microsoft Internet Explorer and Microsoft Edge are not affected by this vulnerability. Additionally, administrators and users can remove all WebEx software from a Windows system by using the Meeting Services Removal Tool, which is available from https://help.webex.com/docs/DOC-2672.
-
Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
To resolve the vulnerability, users must ensure that they have updated versions of the following:- Cisco WebEx extensions for Google Chrome or Mozilla Firefox
- Cisco WebEx Desktop Applications
For the latest information about fixes for the following products, consult the appropriate Cisco bug ID:- Cisco WebEx Meeting Center: CSCvf15012
- Cisco WebEx Event Center: CSCvf15036
- Cisco WebEx Training Center: CSCvf15033
- Cisco WebEx Support Center: CSCvf15037
- Cisco WebEx Meetings Server: CSCvf15020
- Cisco WebEx Meetings: CSCvf15030
Browser Updates
The following subsections provide instructions for updating the Cisco WebEx browser extensions. Customers can allow their browsers to auto-update by launching the browser and keeping the browser window open for 3-6 hours, during which time the extensions will be auto-updated.
Note: Should the browser window close before the auto-update check completes, the timer will reset, requiring a browser window to be launched at a later time and remain open for 3-6 hours to receive the update.
Google Chrome
The Cisco WebEx extension for Google Chrome version 1.0.12 was released on July 13, 2017, and contains a fix for this vulnerability. Chrome users can ensure they are using the fixed version of the Cisco WebEx extension for Google Chrome by doing the following:
- In Chrome, click the menu button (three dots at the upper right of the application) and choose More Tools > Extensions.
- Check the Developer mode check box at the top of the extensions manager. Chrome will display a row of buttons.
- Click the Update extensions now button.
- Restart the Chrome browser.
Mozilla Firefox
The Cisco WebEx extension for Mozilla Firefox version 1.0.12 was released on July 12, 2017, and contains a fix for this vulnerability. Firefox users can ensure they are using the fixed version of the Cisco WebEx extension for Mozilla Firefox by doing the following:
- In Firefox, click the menu button (three horizontal bars at the upper right of the application) and choose Add-ons
- Click the Extensions tab
- Locate Cisco WebEx Extension in the list of extensions and click the More link to obtain the version information
- Click the cogwheel next to the search bar and choose Check for Updates
Microsoft Internet Explorer
Because there are shared components between the Google Chrome and Mozilla Firefox extensions and Internet Explorer, Internet Explorer users will be prompted to update Cisco WebEx plug-ins. The plug-ins are available as part of the Cisco WebEx client packages associated with each WebEx product, and will be available to download after a WebEx site has been upgraded to a fixed version. Upgraded clients are available from the Downloads section of each site after an upgrade has been performed. Users that connect to an upgraded site without the updated client software may be prompted to perform an online upgrade.
Customers may check that the browser plug-in upgrade was successful by using the following procedures for Microsoft Internet Explorer:
Note: The registered name of the plug-in in Internet Explorer may differ based on the installation method used for the plug-in. The version of the plug-in depends on the version of Cisco WebEx that provided the update. The update may have been applied either via the web when joining a WebEx meeting or by a local update of the client via an MSI file. When a fixed version of the plug-in from any version of Cisco WebEx is installed, it will not be downgraded or changed to a version installed by a different fixed version of Cisco WebEx. Internet Explorer users can ensure they are using the fixed version of the plug-in for Internet Explorer by doing the following:
- In Internet Explorer, click the Tools button (the cog icon at the upper right of the application) and choose Manage add-ons.
- From the Show drop-down menu, choose All add-ons.
- Select either the Download Manager or GpcContainer Class add-on under Cisco WebEx LLC. The version number is displayed at the bottom of the Manage add-ons window.
- Validate that the Download Manager version or GpcContainer Class version displayed is one of the version strings in the following table:
Cisco WebEx Major Version Fixed GPC Container or Download Manager Version 32.3.4.5 10032.3.2017.711 31.14.3.30 10031.14.2017.711 31.11.11 10031.11.2017.0713 30.20.3.10012 10030.100.2017.0711 30.9.3 10030.100.2017.0713 30.6.7 10030.100.2017.0713
Validating Cisco WebEx Desktop Application Product Upgrades
Cisco has released fixes for all major versions for Cisco WebEx Desktop Application for use with following products:
- Cisco WebEx Meeting Center
- Cisco WebEx Event Center
- Cisco WebEx Training Center
- Cisco WebEx Support Center
- Cisco WebEx Meetings
Cisco WebEx Major Version Fixed Desktop Application Version WBS32 32.3.4.5 WBS31 31.14.3, 31.11.11
WBS30 30.20.3, 30.9.3, 30.6.7
Note: There are no fixes available for WBS29.
Current WebEx customers can confirm that their site has received updated software by reviewing the Application Version information in the Support section of their WebEx page. Perform the following steps to view this information:
- Sign in to your WebEx account
- Click the Meeting Center tab
- Under Support, click Downloads
- The Application Version is displayed on the right side of the screen under the About Meeting Center heading
If you have not automatically received the update, please contact Cisco Support or a Cisco partner.
Note: The clients for all licensed features of a Cisco WebEx product must be upgraded to ensure compatibility with the deployed site application version. Upgrading a single client will resolve the vulnerability documented by CVE-2017-6753. The following clients are available:
- Cisco WebEx Meeting Center Client
- Cisco WebEx Event Center Client
- Cisco WebEx Training Center Client
- Cisco WebEx Support Center Client
- Cisco WebEx Access Anywhere Client
- Cisco WebEx Remote Access Client
Cisco WebEx Meetings
Cisco has released a fix for Cisco WebEx Meetings. Cisco WebEx Meetings Software has been upgraded to T30.20.3.
Cisco WebEx Meetings Server
Customers who have deployed Cisco WebEx Meetings Server, the onsite Cisco WebEx offering, can download updated software at https://software.cisco.com/download/navigator.html?mdfid=282628019&flowid=76922 or choose the following options from the Cisco Software Center:
Products > Conferencing > Web Conferencing > WebEx Meetings Server
It is recommended that customers utilizing Cisco WebEx Meetings Server version 2.6 migrate to Cisco WebEx Meetings Server 2.7 or later. The following releases of Cisco WebEx Meetings Server have been updated to address this vulnerability:
- WebEx Meetings Server 2.6MR3 Patch 5
- WebEx Meetings Server 2.7MR2 Patch 9
- WebEx Meetings Server 2.8 Patch 3
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
This vulnerability was reported to Cisco by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.3 Included Cisco WebEx Meetings Server 2.6 patch information. Fixed Software Final 2017-August-11 1.2 Included browser auto-update information. Fixed Software Final 2017-July-19 1.1 Modified workarounds section. Workarounds Final 2017-July-18 1.0 Initial public release. – Final 2017-July-17
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.