Millions of people can be attacked through a vulnerability in the Cisco WebEx conferencing platform.

Services for webinars and online meetings Cisco WebEx occupy more than half of the global market for web conferencing (53%), they are used by more than 20 million people. This week, experts from SkullSecurity and Counter Hack discovered a vulnerability in the desktop version of WebEx for Windows that allows them to execute arbitrary commands with system privileges.

What is the problem

Vulnerability identified in the service update application Cisco Webex Meetings Desktop for Windows and is associated with insufficient verification of user settings.

It can allow an authenticated local attacker to execute arbitrary commands as the privileged user of the SYSTEM. According to experts who have found a mistake, the vulnerability can also be used remotely.
The researchers say that the WebExService service with the argument software-update will launch any user command. Interestingly, to run commands, it uses the token from the system process winlogon.exe, that is, the commands will be run with maximum privileges in the system.

C:\Users\ron>sc \\10.10.10.10  start webexservice a software-update 1 wmic process call create "cmd.exe"
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>whoami
nt authority\system

For remote operation, an attacker will need only a regular Windows tool to manage the sc.exe services.

How to protect

To protect against this vulnerability, Cisco WebEx rolled out a patch with the addition of verification. Now the service checks if the executable file of the parameters is signed by WebEx. If the file does not have the correct signature, the service stops working.

Users need to upgrade Cisco Webex Meetings Desktop to versions 33.5.6 and 33.6.0. To do this, you need to start the Cisco Webex Meetings application and click the gear in the upper right corner of the application window, and then select the item “Check for updates” from the drop-down list.

Administrators can install the update at once for all their users, using the following recommendations from Cisco for mass application deployment .

In addition, experts from Positive Technologies created a signature IDS Suricata to identify attempts to exploit the CVE-2018-15442 vulnerability and prevent them. Users of PT Network Attack Discovery this rule is already available through the update mechanism.