Multiple vulnerabilities exist in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files. A remote attacker could exploit these vulnerabilities by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file. Exploitation of these vulnerabilities could cause an affected player to crash and, in some cases, could allow arbitrary code execution on the system of a targeted user. The Cisco WebEx players are applications that are used to play back WebEx meeting recordings that have been recorded by an online meeting attendee. The player can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. Cisco has updated affected versions of the Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and Cisco WebEx ARF and WRF Players to address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex-players
Title | CVE ID | Cisco Bug ID |
---|---|---|
Cisco WebEx Network Recording Player Denial of Service Vulnerability | CVE-2017-12367 | CSCve11545, CSCve02843, CSCve11548 |
Cisco WebEx Network Recording Player Remote Code Execution Vulnerability | CVE-2017-12368 | CSCve10584, CSCve10591, CSCve11503, CSCve10658, CSCve11507, CSCve10749, CSCve10744, CSCve11532, CSCve10762, CSCve10764, CSCve11538 |
Cisco WebEx Network Recording Player Out-of-Bounds Vulnerability | CVE-2017-12369 | CSCve30208, CSCve30214, CSCve30268 |
Cisco WebEx Network Recording Player Remote Code Execution Vulnerability | CVE-2017-12370 | CSCvf38060, CSCvg54836, CSCvf38077, CSCvg54843, CSCvf38084, CSCvg54850 |
Cisco WebEx Network Recording Player Remote Code Execution Vulnerability | CVE-2017-12371 | CSCvf49650, CSCvg54853, CSCvg54856, CSCvf49697, CSCvg54861, CSCvf49707, CSCvg54867 |
Cisco WebEx Network Recording Player Remote Code Execution Vulnerability | CVE-2017-12372 | CSCvf57234, CSCvg54868, CSCvg54870 |
Cisco Bug ID | First Fixed Release | ||||
---|---|---|---|---|---|
WBS30 | WBS31 | WBS32 | WebEx Meetings | WebEx Meetings Server | |
CSCve11545 | 2.7MR3 2.8MR1 |
||||
CSCve02843 | T30.20 | T31.14 | T32.2 | ||
CSCve11548 | T30.20 T32.2 |
||||
CSCve10584 | T31.14.4 T31.15 |
T32.3 | |||
CSCve10591 | 2.7MR3 2.8MR1 |
||||
CSCve11503 | T32.3 | ||||
CSCve10658 | T31.14.4 | T32.4 | |||
CSCve11507 | T32.3 | ||||
CSCve10749 | 2.7MR3 2.8MR1 |
||||
CSCve10744 | T31.14.4 | T32.2 | |||
CSCve11532 | T32.2 | ||||
CSCve10762 | T32.4 | ||||
CSCve10764 | 3.0 | ||||
CSCve11538 | T32.2 | ||||
CSCve30208 | T31.14.4 T31.15 T31.17.2 |
T32.3 T32.6 |
|||
CSCve30214 | 2.7MR3 2.8MR1 |
||||
CSCve30268 | T32.4 T32.6 |
||||
CSCvf38060 | T31.17 | T32.5 | |||
CSCvg54836 | T32.7 | ||||
CSCvf38077 | T31.17 | T32.5 | |||
CSCvg54843 | T32.7 | ||||
CSCvf38084 | T31.17 | T32.5 | |||
CSCvg54850 | T32.7 | ||||
CSCvf49650 | T31.20 | T32.6 | |||
CSCvg54853 | 3.0 | ||||
CSCvg54856 | T32.7 | ||||
CSCvf49697 | T31.20 | T32.6 | |||
CSCvg54861 | T32.7 | ||||
CSCvf49707 | T31.20 | T32.7 | |||
CSCvg54867 | T32.7 | ||||
CSCvf57234 | T31.17.2 | T32.6 | |||
CSCvg54868 | 3.0 | ||||
CSCvg54870 | T32.7 |
Cisco Bug IDs | Reporter |
---|---|
CSCve11545, CSCve02843, CSCve11548, CSCve30208, CSCve30214, CSCve30268 | Yihan Lian of Qihoo 360 GearTeam |
CSCve10584, CSCve10591, CSCve11503, CSCve10658, CSCve11507, CSCve10749, CSCve10744, CSCve11532, CSCve10762, CSCve10764, CSCve11538 |
Kushal Arvind Shah of Fortinet's Fortiguard Team |
CSCvf38077, CSCvg54843, CSCvf38060, CSCvg54836, CSCvf38084, CSCvg54850, CSCvf49650, CSCvg54853, CSCvg54856, CSCvf49697, CSCvg54861, CSCvf49707, CSCvg54867 | Steven Seeley of Offensive Security working with Trend Micro's Zero Day Initiative |
CSCvf57234, CSCvg54868, CSCvg54870 | rgod working with Trend Micro's Zero Day Initiative |
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.4 | Provided clarity to vulnerable releases. | Affected Products | Final | 2017-December-12 |
1.3 | Provided clarity to first fixed versions. | Fixed Software | Final | 2017-November-30 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.