JPCERT-AT-2018-0043
JPCERT/CC
2018-10-26
For more information on the vulnerability, please refer to the information provided by Cisco.
Cisco
Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection
Cisco has rated this vulnerability as "High". Also, JPCERT/CC confirmed that proof-of-concept for the vulnerability(CVE-2018-15442) has been already made public.
If you are using the affected version of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools, please apply the security update programs by referring to the information in "III. Solution".
- Cisco Webex Meetings Desktop App releases prior to 33.5.6
- Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.5
This vulnerability is affected only when Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools are running on a Microsoft Windows end-user system.
To check the current version, please refer to the following information provided by Cisco.
Cisco
Check the Cisco Webex Meetings Desktop App Version
https://collaborationhelp.cisco.com/article/en-us/0usc4ab
Cisco
Check the Cisco Webex Productivity Tools Version for Windows
https://collaborationhelp.cisco.com/article/en-us/nf387ab
- Cisco Webex Meetings Desktop App Release 33.5.6 and later
- Cisco Webex Productivity Tools Release 33.0.5 and later
In addition, Cisco Webex Productivity Tools has been replaced with Cisco Webex Meetings Desktop App since Cisco Webex Meetings Release 33.2.0.
Cisco
Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection
Cisco
Check the Cisco Webex Meetings Desktop App Version
https://collaborationhelp.cisco.com/article/en-us/0usc4ab
Cisco
Check the Cisco Webex Productivity Tools Version for Windows
https://collaborationhelp.cisco.com/article/en-us/nf387ab
US-CERT
Cisco Releases Security Updates
https://www.us-cert.gov/ncas/current-activity/2018/10/24/Cisco-Releases-Security-Updates
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
JPCERT/CC
2018-10-26
I. Overview
On October 24, 2018 (US time), Cisco released a security advisory about a vulnerability (CVE-2018-15442) of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools. When the vulnerability is exploited, a local user may run arbitrary commands with SYSTEM user privileges.For more information on the vulnerability, please refer to the information provided by Cisco.
Cisco
Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection
Cisco has rated this vulnerability as "High". Also, JPCERT/CC confirmed that proof-of-concept for the vulnerability(CVE-2018-15442) has been already made public.
If you are using the affected version of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools, please apply the security update programs by referring to the information in "III. Solution".
II. Affected Products
The following versions are affected by this vulnerability:- Cisco Webex Meetings Desktop App releases prior to 33.5.6
- Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.5
This vulnerability is affected only when Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools are running on a Microsoft Windows end-user system.
To check the current version, please refer to the following information provided by Cisco.
Cisco
Check the Cisco Webex Meetings Desktop App Version
https://collaborationhelp.cisco.com/article/en-us/0usc4ab
Cisco
Check the Cisco Webex Productivity Tools Version for Windows
https://collaborationhelp.cisco.com/article/en-us/nf387ab
III. Solution
Cisco has released the version that addresses the vulnerability.Please apply the update.- Cisco Webex Meetings Desktop App Release 33.5.6 and later
- Cisco Webex Productivity Tools Release 33.0.5 and later
In addition, Cisco Webex Productivity Tools has been replaced with Cisco Webex Meetings Desktop App since Cisco Webex Meetings Release 33.2.0.
IV. References
Cisco
Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection
Cisco
Check the Cisco Webex Meetings Desktop App Version
https://collaborationhelp.cisco.com/article/en-us/0usc4ab
Cisco
Check the Cisco Webex Productivity Tools Version for Windows
https://collaborationhelp.cisco.com/article/en-us/nf387ab
US-CERT
Cisco Releases Security Updates
https://www.us-cert.gov/ncas/current-activity/2018/10/24/Cisco-Releases-Security-Updates
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/