Network Security, Patch/Configuration Management, Vulnerability Management

Cisco fixes three high-level bugs, but a fourth remains unpatched

Cisco Systems this week issued disclosed a dozen software vulnerabilities, including four high-severity flaws, one of which has not been patched.

The flaw with no current fix is CVE-2020-3155: a validation error in the SSL implementation of Cisco Intelligent Proximity, a solution that helps laptops, smartphones and other devices automatically discover and link with Webex video devices and collaboration endpoints. If exploited, the vulnerability could enable remote attackers to view or alter information shared on these Webex devices and endpoints.

"An attacker could exploit this vulnerability by using man-in-the-middle (MITM) techniques to intercept the traffic between the affected client and an endpoint, and then using a forged certificate to impersonate the endpoint," Cisco states in a security advisory. "Depending on the configuration of the endpoint, an exploit could allow the attacker to view presentation content shared on it, modify any content being presented by the victim, or have access to call controls."

Users of Cisco's Intelligent Proximity application, Jabber, Webex Meetings and Webex Teams Cisco Meeting App can all be impacted by the vulnerability if the products are configured with the Proximity feature and are used to connect to on-premises devices or collaboration endpoints with the Proximity feature also enabled.

There are no workarounds but Cisco does list mitigations in its advisory. They include disabling the Proximity pairing feature on devices and endpoints, disabling the automatic discovery of collaboration endpoints on the Proximity clients, and migrating the collaboration solution to the cloud.

The two bugs with the highest CVSS score -- designated CVE-2020-3127 and CVE-2020-3128 -- are comprised of a series of vulnerabilities that could allow attackers to gain a targeted user's privileges and then execute arbitrary code via the Cisco Webex Network Recording Player for Microsoft Windows or the Cisco Webex Player for Microsoft Windows.

According to a Cisco security advisory, the vulnerabilities are caused by "insufficient validation of certain elements within a Webex recording that is stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF)." To exploit these flaws, an adversary could send users a malicious ARF or WRF file via a link or email attachment and socially engineer the potential victim into opening the file on the local system.

Both bugs are fixed in Webex Meetings 39.5.17 and 40.0, Webex Meetings Online 1.3.49 and Webex Meetings Server 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2.

The remaining high-level bug was identified as a vulnerability in the web-based interface of Cisco Prime Network Registrar (CPNR). An unauthenticated, remote attacker could exploit this issue to perform a cross-site request forgery (CSRF) attack by tricking a user into clicking a malicious link while still in an active administrative session.

"A successful exploit could allow an attacker to change the device's configuration, which could include the ability to edit or create user accounts of any privilege level," Cisco warns in a security advisory. "Some changes to the device's configuration could negatively impact the availability of networking services for other devices on networks managed by CPNR."

CPNR was relieved of this issue with the release of version 10.1.

Medium-level vulnerabilities were found in the Webex Meetings Client for MacOS; TelePresence Management Suite; Remote PHY Device Software; Prime Collaboration Provisioning; Identity Services Engine; IOS XR Software; and Cisco AsyncOS for Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA) and Cisco Content Security Management Appliance (SMA). Also, Cisco acknowledged that certain of its wireless products are affected by the recently discovered Wi-Fi chipset vulnerability known as Krook.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.