[SingCERT] Critical Cisco Webex Vulnerabilities (CVE-2019-15283, CVE-2019-15284, CVE-2019-15285, CVE-2019-15286, CVE-2019-15287)
Published on Friday, 08 November 2019 17:54
Cisco has released software patches to address critical vulnerabilities (CVE-2019-15283, CVE-2019-15284, CVE-2019-15285, CVE-2019-15286, CVE-2019-15287) found in the Cisco Webex Network Recording Player and Cisco Webex Player. The Webex Network Recording Player is an application used to convert Webex recording files to standard formats such as Windows Media Video, Flash or MP4. The Webex Player is an application used to play back and edit recorded Webex meeting files.
An attacker can exploit these vulnerabilities by sending a targeted user an Advanced Recording Format (ARF) or WebEx Recording Format (WRF) file, to trick the user into opening the file. This will then allow the attacker to perform remote code execution on the user's operating system.
• Cisco Webex Meetings sites — All Webex Network Recording Player and Webex Player releases earlier than Release WBS 39.5.12
• Cisco Webex Meetings Online — All Webex Network Recording Player and Webex Player releases earlier than Release 1.3.44
• Cisco Webex Meetings Server — All Webex Network Recording Player releases earlier than Release 4.0MR2
Successful exploitation of these critical vulnerabilities could allow attackers to take control of the affected system to perform malicious activities, including unauthorised installation of programs, the creation of rogue administrator accounts and the ability to view, change or delete data.
System administrators using the affected products should install the latest security updates immediately. More details on the security alerts can be found at https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities.