Before it was patched, a critical vulnerability in the Chrome extension for Cisco's WebEx web conferencing software could have allowed adversaries to remotely execute code on machines that visited compromised URLs containing a special string of characters.
In a Tuesday security advisory, Cisco reported that it has patched the error, officially designated as CVE-2017-3823, and has begun to automatically roll out a new release of the software.
The vulnerability was discovered by Google Project Zero researcher Tavis Ormandy, who explained in his public disclosure report that the aforementioned “magic string” or “magic pattern” was found within a “secret URL” used by WebEx during online sessions. Would-be attackers could have lifted this string from the extension's manifest and placed it in a compromised website, so that the plug-in would automatically launch when its users visited said website. This would have allowed the attackers to execute code and install malware, drive-by-download style.
“The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!),”warned Ormandy in his advisory, noting that WebEx Chrome extension has 20 million active users. Furthermore, attackers could have hid the string, indicated as “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” – in an iframe that is invisible to the human eye, so as not to incur the suspicions of these 20 million potential victims.
Some reports say Cisco's fix may not go far enough. According to a blog post by Cloudflare Security Team researcher Filippo Valsorda, when a WebEx Chrome extension user visits a URL containing the magic string, the plug-in now shows a pop-up alert warning that the “WebEx meeting client will be launched if you accept this request,” but it does not block the action altogether. Thus, anyone who inadvertently or confusedly accepts the request will subsequently be infected.
“Moreover, the Webex.com website is still allowed to bypass the popup. If a vulnerability is found on the Webex.com website, it can be used to compromise any machine running even the updated version,” Valsorda continued. However, this criticism may have been addressed by an update to the patch, which according to Ars Technica reduces the risk of attackers exploiting cross-site scripting vulnerabilities to bypass Cisco's protections.
The patched version of the software is officially listed as version 1.0.5.
“Cisco is in the process of investigating all aspects of the Cisco WebEx Browser Extension Remote Code Execution Vulnerability," reads an official company statement that Cisco provided to SC Media. "We have already started publishing many of the fixes for affected versions, and will continue to publish additional updates as they become available in the coming days.”
SC Media reached out to Google's Project Zero and Ormandy for further comment.