Cisco has released security updates to fix vulnerabilities in its Webex Meetings Desktop Application and Webex Productivity Tools.
A high severity command injection vulnerability (CVE-2018-15442) was fixed in the Webex Meetings Desktop App. An authenticated attacker could exploit this bug to execute arbitrary commands as a privileged user.
“The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges,” Cisco said in the advisory.
Cisco confirmed the vulnerability affects all Cisco Webex Meetings Desktop App (releases prior to 33.6.0) and Cisco Webex Productivity Tools Releases (32.6.0 and later prior to 33.0.5), when running on a Microsoft Windows-based end-user system.
Cisco libssh vulnerability updates
Cisco also issued an updated security advisory for recent disclosure of libssh authentication bypass vulnerability CVE-2018-10933 that affects multiple Cisco products.
A number of products are still under investigation to confirm whether they are impacted by the libssh bug, which could allow an unauthenticated, remote attacker to bypass authentication on a targeted system.
See the latest advisory for more details on fixes or workarounds as they become available, as well as Cisco products confirmed not vulnerable to the libssh bug.