Cisco Security Advisory

Buffer Overflow Vulnerabilities in the Cisco WebEx Player

Advisory ID: cisco-sa-20120627-webex

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120627-webex

Revision 1.1

Last Updated  2012 July 14 18:04  UTC (GMT)

For Public Release 2012 June 27 16:00  UTC (GMT)


Summary

The Cisco WebEx Recording Format (WRF) player contains four buffer overflow vulnerabilities and the Cisco Advanced Recording Format (ARF) player contains one buffer overflow vulnerability. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.

The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The players can also be manually installed for offline playback after downloading the application from http://www.webex.com/play-webex-recording.html.

If the WRF or ARF players were automatically installed, they will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the WRF or ARF player was manually installed, users will need to manually install a new version of the player after downloading the latest version from http://www.webex.com/play-webex-recording.html.

Cisco has updated affected versions of the WebEx meeting sites and WRF and ARF players to address these vulnerabilities. 

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120627-webex

Affected Products

Vulnerable Products

The vulnerabilities disclosed in this advisory affect the Cisco WRF and ARF players. The following client builds of Cisco WebEx Business Suite (WBS 27 and WBS 28) are affected by at least one of the vulnerabilities that are described in this advisory:

  • Client builds 28.0.0 (T28 L10N)
  • Client builds 27.32.1 (T27 LD SP32 CP1) and prior
  • Client builds 27.25.10 (T27 LC SP25 EP10) and prior
  • Client builds 27.21.10 (T27 LB SP21 EP10) and prior
  • Client builds 27.11.26 (T27 L SP11 EP26) and prior

To determine the WebEx client build, users can log in to their Cisco WebEx meeting site and navigate to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page. Cisco WebEx software updates are cumulative in client builds. For example, if client build 27.32.10 is fixed, build 27.32.11 will also contain the software update. Cisco WebEx site administrators have access to secondary version nomenclature, such as T27 SP25 EP10. Such an example indicates that the server is running client build 27.25.10.

Note: Customers who do not receive automatic software updates may be running versions of Cisco WebEx that have reached end of software maintenance and should contact customer support.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players are applications that are used to play back and edit recording files, which use the .wrf or .arf extensions. The WRF players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site (for stream playback mode).

The WRF and ARF players can also be manually installed after downloading the application from http://www.webex.com/play-webex-recording.html to play back recording files locally (for offline playback mode).

The following table provides the Cisco bug IDs and Common Vulnerabilities and Exposures (CVE) identifiers that have been assigned for the buffer overflows in this advisory:

Title CVE ID Cisco Bug ID
Cisco WebEx Arbitrary Code Execution Through ARF Files CVE-2012-3053 CSCtz72985 (registered customers only)
Cisco WebEx Player WRF File Heap Overflow CVE-2012-3054 CSCtz72977 (registered customers only)
WRF JPEG DHT Chunk Stack Buffer Overflow CVE-2012-3055 CSCtz72953 (registered customers only)
WRF File Memory Corruption CVE-2012-3056 CSCtz72946 (registered customers only)
WRF File Audio Size Heap Overflow CVE-2012-3057 CSCtz00755 (registered customers only)

Exploitation of the vulnerabilities may cause the player application to crash or, in some cases, result in remote code execution.

To exploit one of these vulnerabilities, the player application must open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerabilities cannot be triggered by users who are attending a WebEx meeting.

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:

http://intellishield.cisco.com/security/alertmanager/cvss



CSCtz72985: Cisco WebEx Arbitrary Code Execution Through ARF Files 

Calculate the environmental score of CSCtz72985

CVSS Base Score - 9.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Complete

Complete

Complete

CVSS Temporal Score - 7.3

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Official-Fix

Confirmed




CSCtz72977: Cisco WebEx Player WRF File Heap Overflow 

Calculate the environmental score of CSCtz72977

CVSS Base Score - 9.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Complete

Complete

Complete

CVSS Temporal Score - 7.3

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Official-Fix

Confirmed




CSCtz72953: WRF JPEG DHT Chunk Stack Buffer Overflow 

Calculate the environmental score of CSCtz72953

CVSS Base Score - 9.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Complete

Complete

Complete

CVSS Temporal Score - 7.3

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Official-Fix

Confirmed




CSCtz72946: WRF File Memory Corruption 

Calculate the environmental score of CSCtz72946

CVSS Base Score - 9.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Complete

Complete

Complete

CVSS Temporal Score - 7.3

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Official-Fix

Confirmed




CSCtz00755: WRF File Audio Size Heap Overflow 

Calculate the environmental score of CSCtz00755

CVSS Base Score - 9.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Medium

None

Complete

Complete

Complete

CVSS Temporal Score - 7.7

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed


Impact

Successful exploitation of the vulnerabilities that are described in this document could cause the Cisco WRF or ARF player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the WRF or ARF player application.

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

The following client builds of Cisco WebEx Business Suite (WBS27) correct the vulnerabilities described in this advisory:

  • Client builds 28.1.0 (T28 L10N SP1)
  • Client builds 27.32.2 (T27 LD SP32 CP2)
  • Client builds 27.25.11 (T27 LC SP25 EP11)

Client builds prior to T27 SP25 have reached end of support; to obtain fixed software please upgrade to the latest version.

To determine the WebEx client build, users can log in to their Cisco WebEx meeting site and navigate to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page. Cisco WebEx software updates are cumulative in client builds. For example, if client build 27.25.10 is fixed, build 27.25.11 will also contain the software update.

The Microsoft Windows, Apple Mac OS X, and Linux versions of the Cisco WRF and ARF players are all affected. If a player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If a Cisco WebEx recording player was manually installed, users must download the latest version from http://www.webex.com/play-webex-recording.html and install it. To remove the players completely, access the Meeting Services Removal Tool or Mac Cisco-WebEx Uninstaller (for Apple Mac users) at http://support.webex.com/support/downloads.html.

Users can determine whether a player is affected by these vulnerabilities by manually verifying the installed version. To do so, users can examine the file version and determine whether it contains the fixed code.

Microsoft Windows

Six dynamic link libraries (DLLs) were updated on the Microsoft Windows platform to address the vulnerabilities that are described in this advisory. These files are in the C:\Program Files\WebEx\Record Playback folder or the C:\Program Files (x86)\Webex\Record Player folder. The version number of a DLL can be obtained by browsing the Record Playback directory in Windows Explorer, right-clicking the filename, and choosing Properties. The Version or Details tab of the Properties page provides details on the library version. The following table provides the first fixed version for each DLL. If the installed versions are equal to or greater than the versions provided in the table, the system is not vulnerable.

Client Build Cisco DLL Filename DLL File Versions
28.1.0 atjpeg60.dll 2028,1201,300,500
27.25.11 ataudio.dll 27,2300,2012,316
27.25.11 atas32.dll 2027,1225,311,1300
27.25.11 atdl2006.dll 1027, 1225, 311,1300
27.25.11 ATJPEG60.dll 2027, 1225, 311, 1300
27.25.11 atpdmod.dll 2023.1225.300.1600
27.25.11 nbrpd.dll 2023.1225.300.1600
27.32.2 ataudio.dll 28,32,2012,208
27.32.2 atas32.dll 2, 6, 32, 3
27.32.2 atdl2006.dll 1027, 1232, 102, 700
27.32.2 ATJPEG60.dll 1027, 1232, 102, 700
27.32.2 atpdmod.dll 2029.1232.202.900
27.32.2 nbrpd.dll 2029.1232.202.900

Apple Mac

Six package bundles were updated on the Apple Mac OS platform to address the vulnerabilities that are described in this advisory. This file is in each user's home directory and can be accessed from ~/Library/Application Support/WebEx Folder/924. The version can be obtained by browsing to the appropriate folder in Finder and control-clicking the filename. When the menu is displayed, choose show package contents and then double-click the Info.plist file. The version number is shown at the bottom of the displayed table. The following table provides the first fixed version for each package bundle. If the installed versions are equal to or greater than the versions provided in the table, the system is not vulnerable.

Client Build Cisco Bundle Filename Bundle File Versions
27.25.11 as.bundle 1203.15.2725.11
27.25.11 asplayback.bundle 1203.15.2725.11
27.25.11 atas.bundle 1203.15.2725.11
27.25.11 ataudio.bundle 3.22.25.0
27.25.11 nbrpd.bundle 1203.15.2725.11
27.25.11 pd.bundle 1203.15.2725.11
27.32.2 as.bundle 2.8.2732.2
27.32.2 asplayback.bundle 2.8.2732.2
27.32.2 atas.bundle 2.8.2732.2
27.32.2 ataudio.bundle 2.9.32.1
27.32.2 nbrpd.bundle 2.9.32.1
27.32.2 pd.bundle 2.9.32.1

Linux

Three shared objects were updated on the Linux platform to address the vulnerabilities that are described in this advisory. These files are in the ~/.webex directory. The version number of the shared objects can be obtained by performing a directory listing with the ls command. The version number is provided after the .so extension. The following table provides the first fixed version for each shared object. If the installed versions are equal to or greater than the versions provided in the table, the system is not vulnerable.

Client Build Cisco Shared Object Filename Shared Object File Versions
27.25.11 atascli.so 1.25.27.18
27.25.11 ataudio.so 1.27.25.2
27.32.2 atascli.so 1.29.27.25
27.32.2 ataudio.so 1.27.32.1
27.32.2 Libnbrdv.so 1.29.27.29

Workarounds

There are no workarounds for the vulnerabilities described in this document.

Obtaining Fixed Software

Cisco has updated affected versions of  the Cisco WebEx Player to address these vulnerabilities. The majority of customers received these updates automatically. Customers who did not receive the recent security update can contact their Customer Success representative to begin planning an upgrade.

If you have questions, require additional support, or would like to provide feedback or discuss the latest release, Cisco WebEx Global Support Services and Technical Support can be reached at http://support.webex.com/support/support-overview.html or by phone at +1-866-229-3239 or +1-408-435-7088. If you are located outside the United States, please visit http://support.webex.com/support/phone-numbers.html for local support numbers.

Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades

Customers with Service Contracts

This section does not apply to vulnerabilities in Cisco WebEx products.

Customers Using Third-Party Support Organizations

This section does not apply to vulnerabilities in Cisco WebEx products.

Customers Without Service Contracts

This section does not apply to vulnerabilities in Cisco WebEx products.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

These vulnerabilities were reported to Cisco by iDefense and Microsoft Vulnerability Research (MSVR).

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security Intelligence Operations at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120627-webex

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:

  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk

Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.


Revision History

Revision 1.1 2012-July-14 Updated meta-tags for Affected Products.
Revision 1.0 2012-Jun-27 Initial public release

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.
Download this document (PDF)
View Printable Version