Summary

• A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.
  
  The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.
  
  Cisco has released software updates for Google Chrome and Mozilla Firefox that address this vulnerability. There are no workarounds that address this vulnerability.
  
  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex

Affected Products

• Vulnerable Products

  This vulnerability affects Cisco WebEx extensions for Windows when running on most supported browsers. The affected browsers are Google Chrome and Mozilla Firefox.
  
  The following versions of the Cisco WebEx browser extensions are affected by the vulnerability described in this document:

  • Versions prior to 1.0.12 of the Cisco WebEx extension on Google Chrome
  • Versions prior to 1.0.12 of the Cisco WebEx extension on Mozilla Firefox

  Customers can use the following steps to determine which versions of the Cisco WebEx extensions are being used.
  
  Google Chrome
  
  Chrome users can determine the version of the Cisco WebEx extension for Google Chrome by doing the following:

  1. In Chrome, click the menu button (three dots at the upper right of the application) and choose More Tools > Extensions

  The extension version is listed next to the Cisco WebEx extension name.
  
  The Cisco WebEx extension for Google Chrome identification string, which organizations can use to identify hosts that contain the extension, is the following:

  jlhmfgmfgeifomenelglieieghnjghma

  Mozilla Firefox
  
  Firefox users can determine the version of the Cisco WebEx extension for Mozilla Firefox by doing the following:

  1. In Firefox, click the menu button (three horizontal bars at the upper right of the application) and choose Add-ons
  2. Click the Extensions tab
  3. Locate Cisco WebEx Extension in the list of extensions and click the More link to obtain the version information

  
  

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.
  
  Cisco has confirmed that this vulnerability does not affect the following products:
  

  • Cisco WebEx Productivity Tools
  • Cisco WebEx browser extensions for Mac or Linux
  • Cisco WebEx on Microsoft Edge or Internet Explorer

Workarounds

• There are no workarounds that address this vulnerability. However, Windows users may use Internet Explorer and administrators and users of Windows 10 systems may use Microsoft Edge to join and participate in WebEx sessions because Microsoft Internet Explorer and Microsoft Edge are not affected by this vulnerability. Additionally, administrators and users can remove all WebEx software from a Windows system by using the Meeting Services Removal Tool, which is available from https://help.webex.com/docs/DOC-2672.

Fixed Software

• Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
  
  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
  
  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  Customers Without Service Contracts
  
  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
  http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
  
  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
  
  Fixed Releases
  
  To resolve the vulnerability, users must ensure that they have updated versions of the following:

  1. Cisco WebEx extensions for Google Chrome or Mozilla Firefox
  2. Cisco WebEx Desktop Applications

  
  For the latest information about fixes for the following products, consult the appropriate Cisco bug ID:

  • Cisco WebEx Meeting Center: CSCvf15012
  • Cisco WebEx Event Center: CSCvf15036
  • Cisco WebEx Training Center: CSCvf15033
  • Cisco WebEx Support Center: CSCvf15037
  • Cisco WebEx Meetings Server: CSCvf15020
  • Cisco WebEx Meetings: CSCvf15030

  
  Browser Updates
  The following subsections provide instructions for updating the Cisco WebEx browser extensions. Customers can allow their browsers to auto-update by launching the browser and keeping the browser window open for 3-6 hours, during which time the extensions will be auto-updated.
  
  Note: Should the browser window close before the auto-update check completes, the timer will reset, requiring a browser window to be launched at a later time and remain open for 3-6 hours to receive the update.
  
  Google Chrome
  
  The Cisco WebEx extension for Google Chrome version 1.0.12 was released on July 13, 2017, and contains a fix for this vulnerability. Chrome users can ensure they are using the fixed version of the Cisco WebEx extension for Google Chrome by doing the following:
  

  1. In Chrome, click the menu button (three dots at the upper right of the application) and choose More Tools > Extensions.
  2. Check the Developer mode check box at the top of the extensions manager. Chrome will display a row of buttons.
  3. Click the Update extensions now button.
     
  4. Restart the Chrome browser.

  
  Mozilla Firefox
  
  The Cisco WebEx extension for Mozilla Firefox version 1.0.12 was released on July 12, 2017, and contains a fix for this vulnerability. Firefox users can ensure they are using the fixed version of the Cisco WebEx extension for Mozilla Firefox by doing the following:
  

  1. In Firefox, click the menu button (three horizontal bars at the upper right of the application) and choose Add-ons
  2. Click the Extensions tab
  3. Locate Cisco WebEx Extension in the list of extensions and click the More link to obtain the version information
  4. Click the cogwheel next to the search bar and choose Check for Updates

  
  Microsoft Internet Explorer
  
  Because there are shared components between the Google Chrome and Mozilla Firefox extensions and Internet Explorer, Internet Explorer users will be prompted to update Cisco WebEx plug-ins. The plug-ins are available as part of the Cisco WebEx client packages associated with each WebEx product, and will be available to download after a WebEx site has been upgraded to a fixed version. Upgraded clients are available from the Downloads section of each site after an upgrade has been performed. Users that connect to an upgraded site without the updated client software may be prompted to perform an online upgrade.
  
  Customers may check that the browser plug-in upgrade was successful by using the following procedures for Microsoft Internet Explorer:
  
  Note: The registered name of the plug-in in Internet Explorer may differ based on the installation method used for the plug-in. The version of the plug-in depends on the version of Cisco WebEx that provided the update. The update may have been applied either via the web when joining a WebEx meeting or by a local update of the client via an MSI file. When a fixed version of the plug-in from any version of Cisco WebEx is installed, it will not be downgraded or changed to a version installed by a different fixed version of Cisco WebEx. Internet Explorer users can ensure they are using the fixed version of the plug-in for Internet Explorer by doing the following:
  

  1. In Internet Explorer, click the Tools button (the cog icon at the upper right of the application) and choose Manage add-ons.
  2. From the Show drop-down menu, choose All add-ons.
  3. Select either the Download Manager or GpcContainer Class add-on under Cisco WebEx LLC. The version number is displayed at the bottom of the Manage add-ons window.
     
  4. Validate that the Download Manager version or GpcContainer Class version displayed is one of the version strings in the following table:

  
  

  Cisco WebEx Major Version	Fixed GPC Container or Download Manager Version
  32.3.4.5	10032.3.2017.711
  31.14.3.30	10031.14.2017.711
  31.11.11	10031.11.2017.0713
  30.20.3.10012	10030.100.2017.0711
  30.9.3	10030.100.2017.0713
  30.6.7	10030.100.2017.0713

  
  
  Validating Cisco WebEx Desktop Application Product Upgrades
  
  Cisco has released fixes for all major versions for Cisco WebEx Desktop Application for use with following products:
  

  • Cisco WebEx Meeting Center
  • Cisco WebEx Event Center
  • Cisco WebEx Training Center
  • Cisco WebEx Support Center
  • Cisco WebEx Meetings

  
  

  Cisco WebEx Major Version	Fixed Desktop Application Version
  WBS32	32.3.4.5
  WBS31	31.14.3, 31.11.11
  WBS30	30.20.3, 30.9.3, 30.6.7

  
  Note: There are no fixes available for WBS29.
  
  Current WebEx customers can confirm that their site has received updated software by reviewing the Application Version information in the Support section of their WebEx page. Perform the following steps to view this information:
  

  1. Sign in to your WebEx account
  2. Click the Meeting Center tab
  3. Under Support, click Downloads
  4. The Application Version is displayed on the right side of the screen under the About Meeting Center heading

  
  If you have not automatically received the update, please contact Cisco Support or a Cisco partner.
  
  Note: The clients for all licensed features of a Cisco WebEx product must be upgraded to ensure compatibility with the deployed site application version. Upgrading a single client will resolve the vulnerability documented by CVE-2017-6753. The following clients are available:
  

  • Cisco WebEx Meeting Center Client
  • Cisco WebEx Event Center Client
  • Cisco WebEx Training Center Client
  • Cisco WebEx Support Center Client
  • Cisco WebEx Access Anywhere Client
  • Cisco WebEx Remote Access Client

  
  Cisco WebEx Meetings
  
  Cisco has released a fix for Cisco WebEx Meetings. Cisco WebEx Meetings Software has been upgraded to T30.20.3.
  
  Cisco WebEx Meetings Server
  
  Customers who have deployed Cisco WebEx Meetings Server, the onsite Cisco WebEx offering, can download updated software at https://software.cisco.com/download/navigator.html?mdfid=282628019&flowid=76922 or choose the following options from the Cisco Software Center:
  Products > Conferencing > Web Conferencing > WebEx Meetings Server
  
  It is recommended that customers utilizing Cisco WebEx Meetings Server version 2.6 migrate to Cisco WebEx Meetings Server 2.7 or later. The following releases of Cisco WebEx Meetings Server have been updated to address this vulnerability:
  

  • WebEx Meetings Server 2.6MR3 Patch 5
  • WebEx Meetings Server 2.7MR2 Patch 9
  • WebEx Meetings Server 2.8 Patch 3

  
  

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was reported to Cisco by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex

Revision History

• Version	Description	Section	Status	Date
  1.3	Included Cisco WebEx Meetings Server 2.6 patch information.	Fixed Software	Final	2017-August-11
  1.2	Included browser auto-update information.	Fixed Software	Final	2017-July-19
  1.1	Modified workarounds section.	Workarounds	Final	2017-July-18
  1.0	Initial public release.	-	Final	2017-July-17

  Show Less