Cisco has issued yet another fix for a persistent Webex vulnerability that the networking giant had previously patched twice.
The vulnerability, which allows privilege escalation, affects the update service of Cisco Webex Meetings Desktop App for Windows and Cisco Webex Productivity Tools. The issue with the video conferencing and communications platform was first discovered by security researchers Ron Bowes and Jeff McJunkin at Counter Hack Challenges, who dubbed the flaw WebExec and disclosed it last October.
The Webex vulnerability (CVE-2018-15442) allowed anyone with a login to a Windows system where WebEx is installed to run system-level code remotely. Cisco had released a patch for the flaw prior to the public disclosure, but Bowes and McJunkin noted the update service could still be started remotely and affect vulnerable systems.
A month later, researchers at SecureAuth, an identity and access management vendor based in Irvine, Calif., discovered the first patch for the Webex vulnerability could be bypassed through a technique called dynamic link library hijacking. Cisco reissued the patch in late November to address the bypass.
However, on Wednesday, Cisco issued a third patch for the Webex vulnerability after SecureAuth detected yet another issue with the previous fix.
“The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate version numbers of new files,” SecureAuth wrote in a security advisory. “An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder. This will allow the attacker to run arbitrary commands with SYSTEM user privileges.”
SecureAuth also detailed a proof-of-concept attack that would bypass Cisco’s second patch. The issue was given a new CVE number (CVE-2019-1674), which Cisco gave a 7.8 CVSS base score.
Cisco said the vulnerability is fixed in Cisco Webex Meetings Desktop App 33.6.6 and 33.9.1 releases, as well as version 33.0.7 of Cisco Webex Productivity Tools.