VERT Threat Alert: Cisco WebEx Browser Extension Remote Code Execution

Posted on January 25, 2017
VERT Threat Alert: April 2017 Patch Tuesday Analysis

Vulnerability Description

A vulnerability in the Cisco WebEx Browser extension for Chrome, Firefox, and Internet Explorer could be used to execute code on a victim system. It is trivial to exploit the vulnerability and sample exploit code has been released publicly. The vulnerability leverages command execution in the launch_meeting message via a message event, which can be executed on any page containing a specific magic pattern.

Exposure and Impact

Successful exploitation of the vulnerability could result in the ability to run code in the context of the user by making the call to launch_meeting message. A successful attack would require that the victim visit their malicious URL containing the exploit code.

Remediation & Mitigation

Cisco has released version 1.0.7 of the Chrome plugin to fix this vulnerability. The recommend mitigation at this time includes uninstalling the WebEx plugin.

Detection

This custom rule should be bound to the Google Chrome application and will identify vulnerable versions of the Cisco WebEx Extension for Google Chrome. This will report systems affected by CVE-2017-3823. Click Here to Download (ZIP) (Updated to consider 1.0.7 the fixed version) Tripwire is planning to release coverage for this CVE in ASPL-709. Additional rules may be posted here before the release of ASPL-709 to facilitate discovery of vulnerable extensions for other browsers.

References

Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!