====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN108
_____________________________________________________________________

DATE                : 05/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows running Cisco Webex Meetings versions prior
                       to 39.5.17, 39.11.0,
                     Webex Meetings Latest Sites versions prior to 40.0,
                     Webex Meetings Online versions prior to 1.3.49,
           Webex Meetings Server versions prior to 3.0MR3SecurityPatch1,
                          4.0MR2SecurityPatch2.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200304-webex-player
_____________________________________________________________________

Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary
Code Execution Vulnerabilities

High
Advisory ID:      cisco-sa-20200304-webex-player
First Published:  2020 March 4 16:00 GMT
Version 1.0:      Final
Workarounds:      No workarounds available
Cisco Bug IDs:    CSCvr82763
                  CSCvr84091
                  CSCvr84096
                  CSCvr89202
                  CSCvr89467
                  CSCvr89471
CVSS Score:       Base 7.8

CVE-2020-3127
CVE-2020-3128
CWE-20


Summary

    Multiple vulnerabilities in Cisco Webex Network Recording Player for
Microsoft Windows and Cisco Webex Player for Microsoft Windows could
allow an attacker to execute arbitrary code on an affected system.

    The vulnerabilities are due to insufficient validation of certain
elements within a Webex recording that is stored in either the Advanced
Recording Format (ARF) or the Webex Recording Format (WRF). An attacker
could exploit these vulnerabilities by sending a malicious ARF or WRF
file to a user through a link or email attachment and persuading the
user to open the file on the local system. A successful exploit could
allow the attacker to execute arbitrary code on the affected system with
the privileges of the targeted user.

    Cisco has released software updates that address these
vulnerabilities. There are no workarounds that address these
vulnerabilities.

    This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200304-webex-player


Affected Products


    Vulnerable Products

    These vulnerabilities affect the following releases of Cisco Webex
Network Recording Player for Microsoft Windows and Cisco Webex Player
for Microsoft Windows, which are available from Cisco Webex Meetings
sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings
Server:
        Cisco Webex Meetings — All Webex Network Recording Player and
Webex Player releases earlier than Release WBS 39.5.17 or WBS 39.11.0

        Cisco Webex Meetings Online — All Webex Network Recording Player
and Webex Player releases earlier than Release 1.3.49

        Cisco Webex Meetings Server — All Webex Network Recording Player
releases earlier than Release 3.0MR3SecurityPatch1 and
4.0MR2SecurityPatch2


    To determine which release of Cisco Webex Network Recording Player
or Cisco Webex Player is installed on a system, open the player and
choose Help > About.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this
advisory are known to be affected by these vulnerabilities.


Details

    Cisco Webex Meetings services and Cisco Webex Meetings Online are
hosted, multimedia conferencing solutions that are managed and
maintained by Cisco Webex. Cisco Webex Meetings Server is a multimedia
conferencing solution that customers host, manage, and maintain in their
private clouds.

    Cisco Webex Meetings services can be configured to allow users to
store meeting recordings online and download those recordings as ARF
files. These services can also be configured to allow users to record
meetings directly on their local computers as WRF files.

    Cisco Webex Network Recording Player is used to play back ARF files.
It is available from Cisco Webex Meetings sites, Cisco Webex Meetings
Online, and Cisco Webex Meetings Server. It can be installed manually
from the Cisco Webex website, from a user’s Webex site, or automatically
when a user accesses an ARF file for streaming playback from a Cisco
Webex Meetings site.

    Cisco Webex Player is used to play back WRF files. It is available
from Cisco Webex Meetings sites and Cisco Webex Meetings Online. It is
not available from Cisco Webex Meetings Server. It can also be installed
manually from the Cisco Webex website or from a user’s Webex site.


Workarounds

    There are no workarounds that address these vulnerabilities.


Fixed Software

    Cisco has released free software updates that address the
vulnerabilities described in this advisory. Customers may only install
and expect support for software versions and feature sets for which they
have purchased a license. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to follow the
terms of the Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they
have a valid license, procured from Cisco directly, or through a Cisco
authorized reseller or partner. In most cases this will be a maintenance
upgrade to software that was previously purchased. Free security
software updates do not entitle customers to a new software license,
additional software feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to
regularly consult the advisories for Cisco products, which are available
from the Cisco Security Advisories and Alerts page, to determine
exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be
upgraded contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their contracted
maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco TAC:

https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of entitlement
to a free upgrade.


    Fixed Releases

    Customers are advised to upgrade to an appropriate fixed software
release as indicated in the following table:

    Cisco Webex Platform 	First Fixed Release
    Webex Meetings 39.5.x Sites 	39.5.17
    Webex Meetings Latest Sites 	40.0
    Webex Meetings Online1 	1.3.43 (CVE-2020-3127)
    1.3.49 (CVE-2020-3128)
    Webex Meetings Server 	3.0MR3SecurityPatch1
    Webex Meetings Server 	4.0MR2SecurityPatch2


    1. Although the vulnerability identified as CVE-2020-3127 is
addressed in Cisco Webex Meetings Online Release 1.3.43, this release is
still affected by the vulnerability identified as CVE-2020-3128.
Customers who are using Cisco Webex Meetings Online are advised to
upgrade to Release 1.3.49 or later to address all vulnerabilities
described in this advisory.

    Note: Cisco Webex Meetings 33.6.x releases reached end of life on
Feb. 28, 2020. Customers are advised to upgrade to a fixed and supported
release.


Exploitation and Public Announcements

    The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerabilities that are described in this advisory.


Source

    Cisco would like to thank Francis Provencher (PRL) working with
Trend Micro Zero Day Initiative for reporting the vulnerability
identified as CVE-2020-3127. Cisco would also like to thank Kexu Wang of
Fortinet’s FortiGuard Labs for independently reporting this
vulnerability as well as the vulnerability identified as CVE-2020-3128.


URL


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200304-webex-player


Revision History

Version 	Description 	Section 	Status 	Date
1.0 	Initial public release. 	— 	Final 	2020-MAR-04


Legal Disclaimer

    THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================