The Cisco WebEx Recording Format (WRF) player contains six buffer overflow vulnerabilities. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user. The Cisco WebEx WRF Player is an application used to play back WRF WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The Cisco WebEx WRF Player can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The Cisco WebEx WRF Player can also be manually installed for offline playback after downloading the application from http://www.webex.com/play-webex-recording.html. If the Cisco WebEx WRF Player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the Cisco WebEx WRF Player was manually installed, users will need to manually install a new version of the Cisco WebEx WRF Player after downloading the latest version from http://www.webex.com/play-webex-recording.html. Cisco has updated affected versions of the WebEx meeting sites and Cisco WebEx WRF Player to address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-webex
| Title |
CVE ID |
Cisco Bug ID |
|---|---|---|
| Cisco WebEx Recording Format Player Buffer Overflow Vulnerability | CVE-2012-3936 |
CSCua40962 |
| Cisco WebEx Recording Format Player Buffer Overflow Vulnerability | CVE-2012-3937 |
CSCtz72967 |
| Cisco WebEx Recording Format Player Buffer Overflow Vulnerability | CVE-2012-3938 |
CSCtz73583 |
| Cisco WebEx WRF Player Memory Corruption Vulnerability | CVE-2012-3939 |
CSCua61331 |
| Cisco WebEx Recording Format Player Buffer Overflow Vulnerability | CVE-2012-3940 |
CSCtz72958 |
| Cisco WebEx Recording Format Player Heap Overflow Vulnerability |
CVE-2012-3941 |
CSCtz72850 |
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance providers.
The following client builds of Cisco WebEx Business Suite (WBS 27 and WBS 28) correct the vulnerabilities described in this advisory:
Client builds prior to T27 SP32 have reached end of support; to obtain fixed software please upgrade to the latest version.
To determine the WebEx client build, users can log in to their Cisco WebEx meeting site and navigate to the Support > Downloads section via the links on the left side of the page. The version of the WebEx client build will be displayed on the right side of the page. Cisco WebEx software updates are cumulative in client builds. For example, if client build 27.32.10 is fixed, build 27.32.11 will also contain the software update.
The Microsoft Windows, Apple Mac OS X, and Linux versions of the Cisco WebEx WRF Player are all affected. If the Cisco WebEx WRF Player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the Cisco WebEx WRF Player was manually installed, users must download the latest version from http://www.webex.com/play-webex-recording.html and install it.
Users can determine whether a Cisco WebEx WRF Player is affected by these vulnerabilities by manually verifying the installed version. To do so, users can examine the file version and determine whether it contains the fixed code.
Microsoft Windows
Five dynamic link libraries (DLLs) were updated on the Microsoft Windows platform to address the vulnerabilities that are described in this advisory. These files are in the C:\Program Files\WebEx\Record Playback folder or the C:\Program Files (x86)\Webex\Record Player folder. The version number of a DLL can be obtained by browsing the Record Playback directory in Windows Explorer, right-clicking the filename, and choosing Properties. The Version or Details tab of the Properties page provides details on the library version. The following table provides the first fixed version for each DLL. If the installed versions are equal to or greater than the versions provided in the table, the system is not vulnerable.
| Client Build | Cisco DLL Filename | DLL File Versions |
|---|---|---|
| 28.4 | atas32.dll |
28,400,12,629 |
| 28.4 | atas32_lite.dll |
28,400,112,629 |
| 28.4 | atrecply.dll |
2028,1204,600,700 |
| 28.4 | atrpui.dll |
2028,1204,700,1300 |
| 28.4 | atdl2006 |
1028,1204,500,2400 |
| 27.32.10 | atas32.dll |
2,6,32,4 |
| 27.32.10 |
atas32_lite.dll |
2,6,32,104 |
| 27.32.10 |
atrecply.dll |
2027,1232,610,2600 |
| 27.32.10 |
atrpui.dll |
2027,1232, 610,2600 |
| 27.32.10 |
atdl2006 |
1027,1232,710,1200 |
Apple Mac
Four package bundles were updated on the Apple Mac OS platform to address the vulnerabilities that are described in this advisory. This file is in each user's home directory and can be accessed from ~/Library/Application Support/WebEx Folder/924. The version can be obtained by browsing to the appropriate folder in Finder and control-clicking the filename. When the menu is displayed, choose show package contents and then double-click the Info.plist file. The version number is shown at the bottom of the displayed table. The following table provides the first fixed version for each package bundle. If the installed versions are equal to or greater than the versions provided in the table, the system is not vulnerable.
| Client Build | Cisco Bundle Filename | Bundle File Versions |
|---|---|---|
| 28.4 | atas.bundle |
1207,25,2804,0 |
| 28.4 |
asplayback.bundle |
1206,26,2804,0 |
| 28.4 |
as.bundle |
1206,29,2804,0 |
| 28.4 | WebEx Player.app | 1206,20,2804,0 |
| 27.32.10 | atas.bundle |
1206.28.2732.10 |
| 27.32.10 | asplayback.bundle | 1206.28.2732.10 |
| 27.32.10 | as.bundle |
1206.28.2732.10 |
| 27.32.10 | WebEx Player.app |
1206.28.2732.10 |
Linux
Three shared objects were updated on the Linux platform to address the vulnerabilities that are described in this advisory. These files are in the ~/.webex directory. The version number of the shared objects can be obtained by performing a directory listing with the ls command. The version number is provided after the .so extension. The following table provides the first fixed version for each shared object. If the installed versions are equal to or greater than the versions provided in the table, the system is not vulnerable.
| Client Build | Cisco Shared Object Filename | Shared Object File Versions |
|---|---|---|
| 28.4 | atascli.so |
1,0,28,18 |
| 28.4 | libnbrascli.so |
1.0.28.17 |
| 28.4 | atascli.so (used by meeting client) |
922800025 |
| 27.32.10 | atascli.so |
1.29.27.27 |
| 27.32.10 | libnbrascli.so |
1.29.27.22 |
| 27.32.10 | atascli.so (used by meeting client) |
922729007 |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
These vulnerabilities were reported to Cisco by Beyond Security, Core Security, Codenomicon, and TELUS.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
| Revision 1.0 | 2012-October-10 | Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
Vulmon