A vulnerability is found in the service of Cisco WebEx meetings extensions for Windows which can allow an unprivileged local attacker to elevate privileges and run arbitrary commands using the SYSTEM user privileges.

Vulnerability: The vulnerability was discovered by Marcos Accossatto from SecureAuth exploits’ writers’ team.   A potential attacker could exploit this software flaw by replacing the Cisco WebEx Meetings update binary with a “previous vulnerable version through a fake update (the service uses an XML to check which files can be installed) that will load a malicious DLL,” leading to privilege escalation and allowing the actor to run arbitrary commands with SYSTEM user privileges.

How the exploit works?

As detailed by the SecureAuth research team:

The vulnerability can be exploited by copying to a local attacker controller folder, the atgpcdec.dll binary and rename it as atgpcdec.7z. Then, a previous version of the ptUpdate.exe file must be compressed as 7z and copied to the controller folder. Also, a malicious dll must be placed in the same folder, named vcruntime140.dll and compressed as vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the controller folder for the update binary (ptUpdate.exe) to treat our files as a normal update. To gain privileges, the attacker must start the service with the command line: sc start webexservice WebexService 1 989898 “attacker-controlled-path”

With a common weakness enumeration (CWE-78) classified as OS command injection, the vulnerability could allow an unprivileged local attacker to run arbitrary commands with system user privileges by invoking the update service command with a crafted argument, according to the advisory.

CVE ID: CVE-2018-15442

Affected Versions: This vulnerability affects Cisco WebEx extensions and plugins for Windows when running on most supported browsers. The affected browsers are Google Chrome, Mozilla Firefox, and Internet Explorer for Windows.

The following versions of the Cisco WebEx browser extensions are affected by the vulnerability:

• Versions prior to 1.0.7 of the Cisco WebEx Extension on Google Chrome
• Versions prior to 106 of the ActiveTouch General Plugin Container on Mozilla Firefox
• Versions prior to the first fixed version of the GpcContainer Class ActiveX control plugin on Internet Explorer.
• Versions prior to 2.1.0.10 of the Download Manager ActiveX control plugins on Internet Explorer.

Remediation:

Customers can determine which versions of the Cisco WebEx extensions are being utilized by following the steps listed below and a patch is available for the same:

Google Chrome

Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017, and contains a fix for this vulnerability. Chrome users can ensure they are using the fixed version of the Cisco WebEx Extension for Google Chrome by doing the following:

In Chrome, open the Settings page­ àClick Extensions

The extension version is listed next to the Cisco WebEx Extension name.

The Cisco WebEx Extension for Google Chrome identification string, which organizations can use to identify hosts that contain the plugin, is the following:

Jlhmfgmfgeifomenelglieieghnjghma

Mozilla Firefox

Version 106 of the ActiveTouch General Plugin Container for Mozilla Firefox was released on January 28, 2017, and contains a fix for this vulnerability. Mozilla users can ensure they are using the fixed version of the ActiveTouch General Plugin Container for Mozilla by:

Clicking the menu button (three horizontal bars on the upper right of the application) and selecting Add-ons. In the Add-ons Manager tab, click the Plugins panel.

Locate the ActiveTouch General Plugin Container in the list of Plugins and click on the More link to obtain the version information.

The Cisco WebEx NPAPI Plugin for Mozilla Firefox identification string, which organizations can use to identify hosts that contain the plugin, is the following:

Atgpccontrol

Microsoft Internet Explorer

Versions of the Cisco WebEx Plugin for Microsoft Internet Explorer were released on January 28, 2017, and contain a fix for this vulnerability. The registered name of the plugin in Internet Explorer may differ based on the installation method used for the plugin. The fixed version of the plugin depends on the version of Cisco WebEx that provided the update. The update may have been applied either via the web when joining a WebEx meeting or by a local update of the client via an MSI file. Internet Explorer users can ensure they are using the fixed version of the plugin for Internet Explorer by:

In Internet Explorer, select the Tools button

Select Manage add-ons

Select All add-ons from the Show drop-down menu

Select either Download Manager or GpcContainer Class add-on under Cisco WebEx LLC

The version number is displayed at the bottom of the Manage Add-ons window.

Products Confirmed Not Vulnerable

• No other Cisco products are currently known to be affected by this vulnerability.
• Cisco WebEx Productivity Tools are not affected by this vulnerability.
• Cisco has confirmed that this vulnerability does not affect Cisco WebEx browser extensions for Mac or Linux, or Cisco WebEx on Microsoft Edge.