Dive Brief:
- Cisco issued a high-severity arbitrary code execution vulnerability in the Webex Meetings Desktop App for Windows on Wednesday. Cisco found the vulnerability in routine internal security testing and researchers don't have any indication that it's been exploited yet.
- Improper messages validation processes by Webex Meetings led to the bug, which grants attackers the ability to send "malicious messages to the affected software by using the virtualization channel interface," according to the advisory.
- The company released updates to resolve the bug, and said "there are no workarounds that address this vulnerability."
Insight:
With employees sitting at home, tools such as Webex have become a lifeline for company operations.
This year, Accenture found an increase in social engineering as "cyberespionage and cybercriminal groups attempt to take advantage of vulnerable employees unfamiliar with managing their technology environments," according to the company's 2020 Cyber Threatscape Report.
The vulnerability's scope doesn't impact on-premise users of Webex Meetings Server. Instead, apps on a virtual desktop environment using virtual environment optimization are susceptible to arbitrary code execution.
Generally, systems and services facing the web "that typically communicate externally" became a safe place for adversaries to "hide their traffic in the background noise," said Accenture. The safeguard could lead to credential harvesting.
The bug is exploitable only "when Cisco Webex Meetings Desktop App is in a virtual desktop environment on a hosted virtual desktop (HVD) and is configured to use the Cisco Webex Meetings virtual desktop plug-in for thin clients," the alert said.
The plug-ins, meant for remote employees, do not require updates. The app within the HVD, however, does need patching. A successful exploitation could lead to arbitrary code execution using the privileges of the user, according to Cisco.
