This entry was originally posted at https://www.workshare.com/blog/cisco-webex-what-went-wrong.
I try to keep up with the latest security news, but sometimes it
feels like it's impossible to read everything that happens - too many
things going wrong too many times.
One of the most important ones I have seen of late is a
remote-execution hole in the Chrome plugin for WebEx, a conferencing
program widely used by around 20M people across the world, particularly
in enterprises.
What this means, in plain English, is that by visiting a URL in your
Chrome browser, a remote attacker can then run any software on your
computer with your current permissions and without you having to do
anything. All you have to do is click on the wrong link on your email,
Slack, Skype or a website and you may be in for someone doing whatever
they want with your computer.
The interesting part is how it works. It looks like the plugin has a
backdoor/remote command execution capability. What this does is allow
you to control it remotely. The plugin also includes a C runtime, a
low-level library that provides various bits of functionality and, which
is what allows you to run arbitrary commands via a function to execute
arbitrary commands at the operating system level.
How did it get there? We have no idea.
We can guess that it was done during development time, to be able to
test different parts of the application and was then forgotten or maybe
put there on purpose, but either way it indicates that Cisco security
practices have been shaky (to say the least). The fact that the URL
requires a reasonably complicated string to trigger the behaviour may
indicate that there was some effort to secure the application, which was
ineffective.
The recommended solution was to remove the affected version and
update to version 1.0.3, but, again, it was not properly tested and did
not fully resolve the issue. Any XSS from webex.com would have still
allowed a remote attacker to run things on your system. Version 1.0.5,
which is the patched version, is still vulnerable. For our clients who
are users, or for any users in fact, the only safe option right now is
to fully remove the plugin until Cisco issues a valid fix. If you really
need the plugin, at the very least upgrade to 1.0.5.
And, be careful out there.
References:
WebEx security issue: https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
Issue with the original fix: https://twitter.com/filosottile/status/823655843388395525
Long standing VPN bug: https://blogs.cisco.com/security/shadow-brokers
No comments:
Post a Comment