WebEx browser extension command execution

Added: 01/26/2017
CVE: CVE-2017-3823
BID: 95737

Background

Cisco WebEx is an online meeting solution. Extensions are available for all major web browsers, which enable users to join meetings from their browser.

Problem

A vulnerability in the WebEx browser extensions allows command execution when a user loads a specially crafted web page.

Resolution

Upgrade to the WebEx Extension version 1.0.7 for Google Chrome. Disable the WebEx extension for all other browsers until a fix becomes available. See Cisco advisory cisco-sa-20170124-webex for fix information.

References

https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
http://www.networkworld.com/article/3161491/security/cisco-scrambling-to-fix-a-remote-code-execution-problem-in-webex.html

Limitations

Exploit works on the WebEx extension for Google Chrome, and requires a user to load the exploit page in a web browser.

Platforms

Windows

Back to exploit index