Cisco recently issued numerous security fixes for bugs affecting a range of products. These also include some high-severity flaws in the Webex Meetings Desktop app.
Serious Bug In Webex Meetings App For Mac
Cisco has addressed a high-severity flaw that affected the Webex Meetings Desktop app for Mac. This bug existed in the update feature of the app that, upon exploitation, could allow remote code execution.
As explained in their advisory,
The vulnerability is due to improper validation of cryptographic protections on files that are downloaded by the application as part of a software update. An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website.
Cisco labeled this one, CVE-2020-3342, as a high-severity bug achieving a CVSS score of 8.8. It affected all lockdown versions of the Mac before the Release 39.5.11. Users may update to the Mac app release 39.5.11 or later to address the vulnerability.
Other Webex Meetings Desktop App Flaws
Apart from the above, Cisco also patched two more high-severity flaws in the Webex Meetings Desktop app.
One of these, CVE-2020-3263, existed due to improper input validation supplied to app URLs. An adversary could exploit the flaw by luring the user to follow a malicious URL. Hence, the adversary could execute other programs already installed on the victim’s device.
Cisco patched this flaw with the Webex Desktop app release 40.1.0 and later, and lockdown versions 39.5.12 and later.
Besides, the other vulnerability, CVE-2020-3361, existed due to a lack of proper validation of authentication token by a Webex website. As a result, an adversary could gain access to the target site with the same privileges as that of the victim.
Cisco has assured no public exploitation of these flaws earlier. Nonetheless, now that the details are out, users must ensure updating to the latest patched versions available.
For details about all the patches rolled out this week, click here to visit the list of Cisco security advisories.