Cisco WebEx: What went wrong?!

I try to keep up with the latest security news, but sometimes it feels like it's impossible to read everything that happens - too many things going wrong too many times.

One of the most important ones I have seen of late is a remote-execution hole in the Chrome plugin for WebEx, a conferencing program widely used by around 20M people across the world, particularly in enterprises.

What this means, in plain English, is that by visiting a URL in your Chrome browser, a remote attacker can then run any software on your computer with your current permissions and without you having to do anything. All you have to do is click on the wrong link on your email, Slack, Skype or a website and you may be in for someone doing whatever they want with your computer.

The interesting part is how it works. It looks like the plugin has a backdoor/remote command execution capability. What this does is allow you to control it remotely. The plugin also includes a C runtime, a low-level library that provides various bits of functionality and, which is what allows you to run arbitrary commands via a function to execute arbitrary commands at the operating system level.

How did it get there? We have no idea.

We can guess that it was done during development time, to be able to test different parts of the application and was then forgotten or maybe put there on purpose, but either way it indicates that Cisco security practices have been shaky (to say the least). The fact that the URL requires a reasonably complicated string to trigger the behaviour may indicate that there was some effort to secure the application, which was ineffective.

The recommended solution was to remove the affected version and update to version 1.0.3, but, again, it was not properly tested and did not fully resolve the issue. Any XSS from webex.com would have still allowed a remote attacker to run things on your system. Version 1.0.5, which is the patched version, is still vulnerable. For our clients who are users, or for any users in fact, the only safe option right now is to fully remove the plugin until Cisco issues a valid fix. If you really need the plugin, at the very least upgrade to 1.0.5. 

And, be careful out there.

References:

WebEx security issue: https://bugs.chromium.org/p/project-zero/issues/detail?id=1096

Issue with the original fix: https://twitter.com/filosottile/status/823655843388395525

Long standing VPN bug: https://blogs.cisco.com/security/shadow-brokers