Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system of a targeted user. The Cisco WebEx WRF Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server. The WRF Player can also be manually installed for offline playback after downloading the application from www.webex.com . If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server. If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com . Cisco has released software updates that address these vulnerabilities. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20091216-webex.
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system of a targeted user.
The Cisco WebEx WRF Player is an application that is used to play back
WebEx meeting recordings that have been recorded on the computer of an on-line
meeting attendee. The WRF Player can be automatically installed when the user
accesses a WRF file that is hosted on a WebEx server. The WRF Player can also
be manually installed for offline playback after downloading the application
from www.webex.com
.
If the WRF Player was automatically installed, the WebEx WRF Player
will be automatically upgraded to the latest, non-vulnerable version when users
access a WRF file hosted on a WebEx server. If the WebEx WRF Player was
manually installed, users will need to manually install a new version of the
player after downloading the latest version from
www.webex.com
.
Cisco has released software updates that address these vulnerabilities.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20091216-webex.
The vulnerabilities disclosed in this advisory affect the Cisco WebEx WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are affected. Affected versions of the WRF Player are those prior to the "first fixed" versions, which are shown in the section "Software Versions and Fixes" of this advisory.
To check if a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support -> Downloads section. The version of the WebEx client build will be displayed on the right-hand side of the page under "About Support Center", for example "Client build: 27.11.0.3328."
Cisco recommends that users upgrade to the most current version of the
player that is available from
http://www.webex.com/downloadplayer.html
. However, users can
verify the installed version of the WRF Player to determine if it is affected
by these vulnerabilities. In order to do so, an administrator must examine the
version numbers of the installed files and determine if every version of the
files contains the fixed code. Detailed instructions on how to verify the
version numbers are provided in the following sections.
Microsoft Windows
There are three dynamically linked libraries (DLLs) that were updated on the Microsoft Windows platform in order to address the vulnerabilities described in this advisory. These files are located in the folder C:\Program Files\WebEx\Record Playback. The version number of the DLLs can be identified by browsing the Record Playback directory in Windows Explorer and right clicking the file name in order to view the properties. The version or details tab of the properties page provides details on the library version. The table below gives the first fixed version number for each DLL. If the installed versions are equal to, or greater then the versions provided in the table, the system is not vulnerable.
|
Library |
T26 |
T27 |
|---|---|---|
|
atas32.dll |
2.5.49.4 |
2.6.10.1 |
|
ataudio.dll |
26.2009.6.6 |
27.2009.6.17 |
|
atrpui.dll |
921.2008.7.2326 |
921.2009.6.2027 |
Mac
There are two package bundles that were updated on the Macintosh platform in order to address the vulnerabilities described in this advisory. These files are located in each users home directory, which can be accessed in ~/Library/Application Support/WebEx Folder/824 for systems connected to servers running T26 and ~/Library/Application Support/WebEx Folder/924 for systems connected to servers running T27. The version can be located by browsing the appropriate folder in the Finder and control-clicking the file name. Once the menu is displayed, select “show package contents” and then double clicking the Info.plist file. The version number is shown at the bottom of the displayed table.
|
Bundle |
T26 |
T27 |
|---|---|---|
|
ataudio.bundle |
7.5.0.5 |
8.5.0.2 |
|
WebEx Player.app |
8.0.1.3 |
10.14.11.7 |
Linux
There are two shared objects that were updated on the Linux platform in order to address the vulnerabilities described in this advisory. These files are located in the ~/.webex directory. The version number of the shared object can be obtained by performing a directory listing with the ‘ls’ command. The version number is provided after the .so extension. The following table provides the first non-vulnerable version of each object.
|
Shared Object |
T26 |
T27 |
|---|---|---|
|
ataudio.so |
1.0.26.7 |
1.27.13.1 |
|
atrecply |
1.0.26.14 |
1.0.27.12 |
The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF) file format is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these vulnerabilities.
The WebEx meeting service is a hosted multimedia conferencing solution
that is managed by and maintained by Cisco WebEx. The WebEx Recording Format
(WRF) is a file format that is used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The WRF Player is
an application that is used to play back and edit WRF files (files with .wrf
extensions). The WRF Player can be automatically installed when the user
accesses a WRF file that is hosted on a WebEx server (stream playback mode).
The WRF Player can also be manually installed after downloading the application
from www.webex.com
to play
back WRF files locally (offline playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF Player. The vulnerabilities may lead to a crash of the WRF Player application, or in some cases, lead to remote code execution.
To exploit a vulnerability, a malicious WRF file would need to be opened by the WRF Player application. An attacker may be able to accomplish this by providing the malicious WRF file directly to users (for example, via e-mail), or by convincing users to visit a malicious website. The vulnerability cannot be triggered by users attending a WebEx meeting.
These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:
There are no workarounds for the vulnerabilities disclosed in this advisory.
The table below contains "First Fixed" information for the Cisco WebEx WRF Player that is automatically downloaded from a WebEx site when a WRF hosted on a WebEx site is accessed (stream playback mode). Fixes are cumulative within a major release so for example, if release 27.10.1 is fixed, then release 27.10.2 will have the fix too.
|
Platform |
Major Release 26.x |
Major Release 27.x |
|
Microsoft Windows |
26.49.32; available now except lockdown sites |
27.10.x; available now for non-PSO and non-lockdown sites |
|
Mac OS X |
26.49.35; available early February 2010 |
27.11.8; available now for non-PSO and non-lockdown sites |
|
Linux |
26.49.35; available early February 2010 |
27.11.8; available now for non-PSO and non-lockdown sites |
PSO and lockdown sites running 27.x will receive the fixes for these vulnerabilities during the next emergency patching (EP) cycle. This advisory will be updated to indicate a specific timeline once one is available.
If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server.
If the WebEx WRF Player was manually installed, users will need to
manually install a new version of the player after downloading the latest
version from www.webex.com
.
The Cisco PSIRT is not aware of malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Xiaopeng
Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs
advisory is available at http://www.fortiguard.com
. Cisco would like to thank
FortiGuard Labs for reporting these vulnerabilities to us and for working with
us on a coordinated disclosure.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
|
Revision 1.1 |
2009-December-23 |
Revised the Vulnerable Products section |
|
Revision 1.0 |
2009-December-16 |
Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
Vulmon