This vulnerability can be exploited only by local attackers
Malicious hackers could exploit a privilege escalation
vulnerability in Cisco Webex Meetings for Windows
operating systems to execute arbitrary commands using administrator privileges,
report network
security specialists from the International Institute of Cyber
Security.
This vulnerability affects all versions of the Cisco
Webex Meetings desktop application between 33.6.4.15 and 33.8.2.7,
although experts do not rule out the possibility that earlier versions could
also be affected by this vulnerability.
This vulnerability (CVE-2019-1674) is a command injection in the operating system
designed to dodge new CISCO security measures, implemented after correcting a
DLL-hijacking problem found in the same application earlier.
According to network security experts,
CVE-2019-1674 exists due to the inability of the update service for Webex Windows
to properly validate the version numbers of the new files. Non-privileged local
attackers could exploit the vulnerability by invoking the update service
command with a specially crafted command.
Malicious hackers could exploit this
vulnerability by replacing the update binary of this application with a
previous version using the fake software update technique. Then escalation of
privileges is generated and hackers execute arbitrary commands with
administrator privileges.
This is not the first time that network
security experts find vulnerabilities in this tool, although it is not
considered as severe as the vulnerability known as webexec, which allows
attackers to execute commands remotely through a component of a vulnerable
version of Webex.
