Several products have been updated to address the security holes

May 9, 2014 12:41 GMT  ·  By

Experts at Fortinet, iDefense and Microsoft have notified Cisco of several vulnerabilities in WebEx Players, the applications used to playback meetings recorded with the company’s WebEx multimedia conferencing solutions. 

According to an advisory published by Cisco, researchers identified multiple buffer overflow vulnerabilities in the WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players.

The flaws can be exploited to crash players and, in some cases, even for remote code execution on the affected systems.

Cisco has released updates for WebEx Business Suite meeting sites, WebEx 11 meeting sites, WebEx Meetings Server, and WebEx WRF and ARF Players to address the issues.

The vulnerabilities are the following:

CVE-2014-2132 – an out-of-bound read vulnerability in the WebEx WRF and ARF players; CVE-2014-2133 – LZW decompress memory corruption vulnerability in WebEx ARF Player; CVE-2014-2134 – file audio channel parsing heap overflow vulnerability in WebEx WRF Player; CVE-2014-2135 – memory corruption vulnerability in WebEx ARF Player; CVE-2014-2136 – memory corruption vulnerability in WebEx ARF Player;

“To exploit one of these vulnerabilities, the player applications would need to open a malicious ARF or WRF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using email), or by directing a user to a malicious web page. The vulnerabilities cannot be triggered by users who are attending a WebEx meeting,” Cisco notes in its advisory.