—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Cisco Security Advisory: Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability

Advisory ID: cisco-sa-20181024-webex-injection

Revision: 1.0

For Public Release: 2018 October 24 16:00 GMT

Last Updated: 2018 October 24 16:00 GMT

CVE ID(s): CVE-2018-15442

CVSS Score v(3): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

+———————————————————————

Summary

=======

A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user.

The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.

While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection”]

—–BEGIN PGP SIGNATURE—–

iQJ5BAEBAgBjBQJb0JjeXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50
IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly
dEBjaXNjby5jb20+AAoJEJa12PPJBfczh0gQAMZP2PVMTaYDqf3UWskU3iW8xDVD
plNpwOm7VI4WWyEAf5i1rEVqQ3eyXi2S66/t3lUNkOZeRSukMxYF2WlgVftMdTI+
ZoS2D24jKQY6Hb7KjHzf+7D98oYag/XQiQN4dcpEdWwr14deH6njW0YsL3y3nc2F
c2gEBtrn9eWCSxCyYwhekZWHravYxSlj9lKk0EbLdKSZAPT7xC0BhWfY2bJ/Nuky
wP1pgLlvQreu0I8Zm8Xjpc98IZSMGZyeWodnr73YJ7SDpHTcydYjOJT5cYgn7rxg
QImpTtN2nciinKP4bvpk9fFD1Y4qLTY5DYoqXTB9HwmX4gBZqCPxn6VvPA0+54d1
Woj+vajO0LfyIZtr3IemrNq5PhUWHu9fErRG9AC/9OUP6CNfd07aYjxfoMLV9Ffk
4SkCbNkJTIZQoikWCpfwOzNEsdeg9c+O6k1jeT3LvhQsHwe1hG3QYhbj78OWGGGI
nWhIX0PvcKGEMUAeqQpIJJtTs9Rl7PilYwA/Php82QtpvWWbORORLOHJ5y9Q/Vts
SQSjrpz8OBlh0lpt11U9gutFVw7SVcZqaUgCgvqzDvUDJ4boo5IDWFDnvz8/qstN
BUdVRuhocCU/CAO6LVKkw6T9q+BepiT21HGO/38pAed2WMXydsepp5ORwhrIbtQC
5ERZJLmXeHpVUQwU
=pZAm
—–END PGP SIGNATURE—–

_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com