pixel_dreams - Fotolia
Project Zero finds Cisco WebEx vulnerability in browser extensions
A critical Cisco WebEx vulnerability in the service's browser extensions was discovered and patched, though some disagree the patch goes far enough to protect against attack.
Cisco patched a critical vulnerability in browser extensions used to connect to its popular WebEx web and video conferencing service that would have allowed a threat actor to remotely execute arbitrary code. As many as 20 million WebEx users may have been exposed to the flaw.
The Cisco WebEx vulnerability affected the browser extensions for Chrome, Firefox and Internet Explorer for Windows. Google Project Zero researcher Tavis Ormandy discovered the vulnerability and reported it to Cisco on Jan. 21. Cisco's security advisory and patch was published three days later. "That was a really impressive response time from Cisco over the weekend," Ormandy wrote.
"The extension works on any URL that contains the magic pattern 'cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html,' which can be extracted from the extensions manifest," Ormandy wrote in the bug tracker entry for the WebEx vulnerability. "Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough."
"The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code," he continued.
The vulnerability has no workarounds, according to Cisco's advisory, which described the flaw as a "vulnerability in the Cisco WebEx browser extensions provided by Cisco WebEx Meetings Server and Cisco WebEx Meeting Center [that] could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system."
While the Cisco WebEx extensions for Chrome, Firefox and Internet Explorer for Windows were affected by the vulnerability, the WebEx extension for Microsoft's Edge browser was not; the extensions for Mac and Linux were also not affected. Cisco stated the vulnerability had not been observed in the wild prior to publication of the advisory.
Cisco described the attack as using a "crafted pattern" -- what Ormandy referred to as a "magic string." Cisco's advisory read: "An attacker could exploit this vulnerability by directing a user to a webpage that contains the crafted pattern and starting a WebEx session. The WebEx session could allow the attacker to execute arbitrary code on the affected system, which could be used to conduct further attacks."
Cisco's fix is to block remote code execution (RCE) from all sites, except Cisco's WebEx sites. "This means that if a site is not *.webex.com or *.webex.com.cn, then the user must click OK for code execution to happen," Ormandy wrote, adding that the Cisco WebEx vulnerability could be considered fixed. "Hopefully, webex.com is well-maintained and not full of [cross-site scripting]."
Not everyone was pleased with Cisco's solution. Mozilla information security engineer April King, commenting on the Project Zero issue entry for the Cisco WebEx vulnerability, wrote, "I just wanted to voice my extreme dubiousness about this fix." She pointed out that the WebEx domain "doesn't seem to follow any of the most basic of web hygiene tasks."
"If I'm an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines?"
Matthew Green, a computer science professor at Johns Hopkins University, tweeted a screenshot of King's comment, along with his own opinion:
The fix for arbitrary code execution on WebEx looks pretty sketchy. You might want to uninstall that extension ASAP. pic.twitter.com/B1xNnhuSSM
— Matthew Green (@matthew_d_green) January 24, 2017