Another critical vulnerability identified as CVE-2018-0112 has been fixed Cisco WebEx videoconferencing software solution.
Customers download and use the WebEx client application to attend meetings on Cisco WebEx Centers The bug could be leveraged by attackers to intercept conference call attendees’ systems by executing a booby-trapped Flash file in the particular meeting.
CVE-2018-0112 Technical Overview
The vulnerability is triggered by insufficient input validation by the Cisco WebEx clients and affects Cisco WebEx Business Suite clients, Cisco WebEx Meetings, and Cisco WebEx Meetings Server.
More specifically, the bug in Cisco WebEx Business Suite clients, Cisco WebEx Meetings, and Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute arbitrary code on a targeted system, as explained by the company in an advisory.
The vulnerability stems from insufficient input validation by the Cisco WebEx clients. An attacker could exploit CVE-2018-0112 by providing meeting attendees with a malicious Flash (.swf) file via the file-sharing capabilities of the client. In other words, a successful exploit of the bug could allow arbitrary code execution on the system of a targeted user.
Fortunately, Cisco has already released patches that address the flaw. Please note that there are no workarounds that address this vulnerability.
Also, Cisco says that there is no evidence of the bug being exploited in the wild. As for who discovered and reported it – Alexandros Zacharis, an officer in the European Union Agency for Network and Information Security (ENISA).
More information is available on Cisco’s advisory. Affected users should patch their software as soon as possible to avoid any compromise.
Cisco has been in the spotlight lately due to a bunch of security flaws discovered in its products. One of these bugs was found in Cisco IOS Software and Cisco IOS XE Software, and its exploit could lead to remote code execution and a denial-of-service condition. An unauthenticated, remote attacker could execute arbitrary code to take full control over a compromised network as well as intercept its traffic. This flaw has been identified as CVE-2018-0171.