Lucene search

HistoryNov 13, 2020 - 12:00 a.m.

Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities (cisco-sa-webex-nbr-NOS6FQ24)

2020-11-1300:00:00

www.tenable.com

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

38.7%

JSON

According to its self-reported version, Cisco Webex Network Recording Player for Windows and Cisco Webex player for Windows are affected by multiple arbitrary code execution vulnerabilities due to insufficient validation of certain elements of a Webex recording that is stored in the Advanced Recording Format (ARF) or Webex Recording Format (WRF). An unauthenticated attacker can exploit these, by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file, in order to execute arbitrary code on the affected system with the privileges of the targeted user.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(142880);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/04/16");

  script_cve_id("CVE-2020-3573", "CVE-2020-3603", "CVE-2020-3604");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu53451");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu53534");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu55885");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu55901");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu59610");
  script_xref(name:"CISCO-SA", value:"cisco-sa-webex-nbr-NOS6FQ24");
  script_xref(name:"IAVA", value:"2020-A-0529-S");

  script_name(english:"Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities (cisco-sa-webex-nbr-NOS6FQ24)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco Webex Network Recording Player for Windows and Cisco Webex player for
Windows are affected by multiple arbitrary code execution vulnerabilities due to insufficient validation of certain
elements of a Webex recording that is stored in the Advanced Recording Format (ARF) or Webex Recording Format (WRF). An
unauthenticated attacker can exploit these, by sending a user a malicious ARF or WRF file through a link or email
attachment and persuading the user to open the file, in order to execute arbitrary code on the affected system with the
privileges of the targeted user.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-nbr-NOS6FQ24
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7e2d7e71");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu53451");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu53534");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu55885");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu55901");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu59610");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvu53451, CSCvu53534, CSCvu55885, CSCvu55901,
CSCvu59610");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3604");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/11/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/11/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/11/13");

  script_set_attribute(attribute:"agent", value:"windows");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:webex_network_recording_player");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:webex_player");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("webex_player_installed.nasl");
  script_require_keys("installed_sw/WebEx ARF/WRF Player");

  exit(0);
}

include('vcf.inc');

app = 'WebEx ARF/WRF Player';
get_kb_item_or_exit('installed_sw/' + app);

app_info = vcf::get_app_info(app:app);

if (app_info.version =~ "^40\.6")
  fix = '40.6.11';
else
  fix = '40.8.0';

constraints = [
  { 'min_version' : '0.0', 'fixed_version' : fix }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

VendorProductVersionCPE
ciscowebex_network_recording_playercpe:/a:cisco:webex_network_recording_player
ciscowebex_playercpe:/a:cisco:webex_player

Vendor	Product	Version	CPE
cisco	webex_network_recording_player		cpe:/a:cisco:webex_network_recording_player
cisco	webex_player		cpe:/a:cisco:webex_player

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3573

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3603

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3604

www.nessus.org/u?7e2d7e71

bst.cloudapps.cisco.com/bugsearch/bug/CSCvu53451

bst.cloudapps.cisco.com/bugsearch/bug/CSCvu53534

bst.cloudapps.cisco.com/bugsearch/bug/CSCvu55885

bst.cloudapps.cisco.com/bugsearch/bug/CSCvu55901

bst.cloudapps.cisco.com/bugsearch/bug/CSCvu59610

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

38.7%

JSON

Related for CISCO-SA-WEBEX-NBR-NOS6FQ24.NASL