-
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.
The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The players can also be manually installed for offline playback after downloading the application from www.webex.com.
If the WRF player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the WRF player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com.
Cisco has released software updates that address these vulnerabilities.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex.
Note: Effective October 18, 2011, Cisco moved the current list of Cisco Security Advisories and Responses published by Cisco PSIRT. The new location is http://tools.cisco.com/security/center/publicationListing. You can also navigate to this page from the Cisco Products and Services menu of the Cisco Security (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy.
-
The vulnerabilities disclosed in this advisory affect the Cisco WRF players. The Microsoft Windows, Apple Mac OS X, and Linux versions of the players are all affected. Review the following table for the list of releases that contain the nonvulnerable code. Affected versions of the players are those prior to client build T26 SP49 EP40 and T27 SP28. These build numbers are available only to WebEx site administrators. End users will see a version such as "Client build: 27.25.4.11889." This indicates the server is running software version T27 SP25 EP4.
To determine whether a Cisco WebEx meeting site is running an affected version of the WebEx client build, users can log in to their Cisco WebEx meeting site and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details.
Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html. If the player is no longer needed, it can be removed using the "Mac Cisco-WebEx Uninstaller" or "Meeting Services Removal tool" available at support.webex.com/support/downloads.html.
Users can manually verify the installed version of the WRF player to determine whether it is affected by these vulnerabilities. To do so, an administrator must examine the version numbers of the installed files and determine whether the version of the file contains the fixed code. Detailed instructions on how to verify the version numbers are provided in the following sections.
The following tables provide the first nonvulnerable version of each object.Microsoft Windows
Two dynamically linked libraries (DLLs) were updated on the Microsoft Windows platform to address the vulnerabilities that are described in this advisory. These files are in the folder C:\Program Files\WebEx\Record Playback or C:\Program Files (x86)\Webex\Record Player. The version number of a DLL can be obtained by browsing the Record Playback directory in Windows Explorer, right-clicking on the file name, and choosing Properties. The Version or Details tab of the Properties page provides details on the library version. The following table gives the first fixed version number for each DLL. If the installed versions are equal to or greater than the versions provided in the table, the system is not vulnerable.
Library
T26 SP49 EP40
T27 SP11 EP26
T27 SP21 EP9
T27 SP25 EP3
T27 SP28
atas32.dll
Not vulnerable
2.6.11.0
2.6.21.5
2.6.25.0
2.6.28.0
atdl2006.dll
2.5.49.4000
2.6.1123.1
2.6.21.1
2.6.20.0
Not vulnerable
Mac
A package bundle was updated on the Macintosh platform to address the vulnerabilities that are described in this advisory. This file is in each user's home directory, which can be accessed in ~/Library/Application Support/WebEx Folder/824 for systems connected to servers running T26 and ~/Library/Application Support/WebEx Folder/924 for systems connected to servers running T27. The version can be obtained by browsing to the appropriate folder in Finder and control-clicking the filename. When the menu is displayed, select show package contents and then double-click the Info.plist file. The version number is shown at the bottom of the displayed table.
Bundle
T26 SP49 EP40
T27 SP11 EP26
T27 SP21 EP9
T27 SP25 EP3
T27 SP28
asplayback.bundle
6.0.49.40
6.10.11.25
6.10.21.9
6.0.25.3
5.25.27.28
Linux
A shared object was updated on the Linux platform to address the vulnerabilities that are described in this advisory. This file is in the ~/.webex directory. The version number of the shared object can be obtained by performing a directory listing with the ls command. The version number is provided after the .so extension.
Shared Object
T26 SP49 EP40
T27 SP11 EP26
T27 SP21 EP9
T27 SP25 EP3
T27 SP28
atascli.so
1.0.26.41
1.11.27.15
1.0.27.17
1.25.27.17
1.28.27.17
Vulnerable Products
No other Cisco products are currently known to be affected by these vulnerabilities.Products Confirmed Not Vulnerable
The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF) file format is not affected by the vulnerabilities described in this document.No other Cisco products are currently known to be affected by these vulnerabilities.
-
The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF file format is used to store WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players are applications that are used to play back and edit recording files (files with a .wrf extension). The WRF players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site (for stream playback mode). The WRF players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode).
The Cisco WebEx Recording Format (WRF) Player is affected by the following vulnerabilities:
Cisco WebEx Player WRF Parsing Vulnerability
This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-3319
Cisco WebEx Player ATAS32 Processing Vulnerability
This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-4004
The vulnerabilities may cause the player application to crash or, in some cases, remote code execution could occur.To exploit one of these vulnerabilities, the player application would need to open a malicious WRF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerabilities cannot be triggered by users who are attending a WebEx meeting.
-
There are no workarounds for the vulnerabilities disclosed in this advisory.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
These vulnerabilities are first fixed in the following versions:
- T26 SP49 EP40
- T27 FR20
- T27 SP11 EP23
- T27 SP21 EP9
- T27 SP23
- T27 SP25 EP3
- T27 SP28
The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release T27 SP22 EP9 is fixed, release T27 SP22 EP23 will also have the software fix. End users will see a version such as "Client build: 27.25.4.11889." This indicates the server is running software version T27 SP25 EP4.
If a WRF player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site.
If a WRF player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html. If the player is no longer needed, it can be removed using the "Mac Cisco-WebEx Uninstaller" or "Meeting Services Removal tool" available at support.webex.com/support/downloads.html
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to Cisco by TippingPoint. Cisco would like to thank TippingPoint for reporting these vulnerabilities to us.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1 2012-July-18 Updated advisory metatags. Revision 1.0 2011-October-26 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.