Cisco WebEx Extension for Chrome RCE (cisco-sa-20170124-webex)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A browser extension installed on the remote host is affected by a
remote code execution vulnerability.

Description :

The Cisco WebEx Extension for Chrome installed on the remote host is
affected by a remote code execution vulnerability due to a crafted
pattern that permits any URL utilizing it to automatically use native
messaging to access sensitive functionality provided by the extension.
An unauthenticated, remote attacker can exploit this vulnerability to
execute arbitrary code by convincing a user to visit a web page that
contains this pattern and starting a WebEx session.

See also :

http://www.nessus.org/u?068aee48
https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
https://bugs.chromium.org/p/project-zero/issues/detail?id=1100

Solution :

Upgrade to Cisco WebEx Extension version 1.0.7 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 96772 ()

Bugtraq ID: 95737

CVE ID: CVE-2017-3823

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now