Cisco Patches Meeting Service Serious Vulnerability

Cisco updated their previously released advisory, regarding a buffer overflow vulnerability in WebEx Meeting Manager, with a permanent patch. The vulnerability, with a 9.3 Common Vulnerability Scoring System Base score, can allow for arbitrary code execution if exploited successfully.

An ActiveX control buffer overflow vulnerability was reported in Cisco's WebEx Meeting Manager earlier this month by security researcher Elazar Broad. Cisco responded by releasing an advisory on August 15, which contained only a manual workaround.

The WebEx Meeting is a Cisco service that provides online professional multimedia conferencing mostly aimed at corporate users. Upon accessing a WebEx meeting for the first time, the user is prompted to download, install and configure the WebEx Meeting Manager. This vulnerability exists in the atucfobj.dll ActiveX control used by the versions prior to 20.2008.2606.4919 of WebEx Meeting Manager.

The vulnerability affects WBS-23, 25 and 26, up to version 26.49.9.2838 servers. The patch was applied in version 26.49.9.2838 and users connecting to a server running this version or later will automatically get their WebEx Meeting Manager up to date. There is no automatic patch for WBS-25, so for this server variant, users should manually download an updated version of the WebEx Meeting Manager. The advisory also notes that WBS-23 won't be patched at all and everyone running this version should upgrade their servers to WBS-26.

A computer containing a vulnerable version of atucfobj.dll could be attacked through a malicious code embedded into HTML that calls the affected function through ActiveX. This makes exploitation possible through web sites, e-mail messages or instant messaging applications. Workarounds involve completely uninstalling the WebEx Meeting Manager or setting kill bit for this particular ActiveX Control in Microsoft Windows.

Since WebEx Meeting is mostly used by corporate users, attacks exploiting this vulnerability are more likely to aim at extracting private and sensitive information from organizations. Mr. Elazar Broad notes in his report that Cisco informed him that they were aware of this vulnerability at the time when he submitted it to them.

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3558.