Critical Cisco WebEx bug could let attackers remotely execute malicious code using poisoned Flash attack

Cisco's WebEx, a widely-used conferencing software, has been diagnosed with a serious flaw that could potentially allow any threat actor remotely execute malicious code on target machines using poisoned Adobe Flash files . Attackers could exploit WebEx’s file-sharing tool to spread the malware directly to other meeting participants' devices to perform various nefarious activities.

The vulnerability was reported directly to Cisco by Alexandros Zacharis of ENISA (European Union Agency for Network and Information Security). Cisco has confirmed the list of programs with the flaw.

  • Cisco WebEx Business Suite (WBS31) client builds prior to T31.23.2
  • Cisco WebEx Business Suite (WBS32) client builds prior to T32.10
  • Cisco WebEx Meetings with client builds prior to T32.10
  • Cisco WebEx Meetings Server builds prior to 2.8 MR2

The vulnerability lies in insufficient input validation by Cisco WebEx's client software wherein WebEx fails to properly check Flash (.swf) files when uploaded to a meeting room.

Cisco has released a fix for these vulnerable programs and said there have been no incidents involving exploitation of the flaw so far, according to a new security advisory. The "critical" vulnerability CVE-2018-0112 is rated 9.0 by CVSS. Users who install the patch is will no longer be able to send flash files (.swf) using the file-sharing feature.

While organizations that have opted for automatic updates could have had a fix to this flaw, those with manual software updates and expired licenses could still be at risk. Users have been advised to be wary of phishing attempts and malicious attachments via email. Given that Cisco WebEx is one of the most widely used conferencing software among enterprises, these attack vectors are expected and likely to be fruitful.