Cisco WebEx for Firefox RCE (cisco-sa-20170124-webex)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A browser extension installed on the remote host is affected by a
remote code execution vulnerability.

Description :

The Cisco WebEx Extension for Firefox installed on the remote host is
affected by a remote code execution vulnerability due to a crafted
pattern that permits any URL utilizing it to automatically use native
messaging to access sensitive functionality provided by the extension.
An unauthenticated, remote attacker can exploit this vulnerability to
execute arbitrary code by convincing a user to visit a web page that
contains this pattern and starting a WebEx session.

See also :

http://www.nessus.org/u?068aee48
https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
https://bugs.chromium.org/p/project-zero/issues/detail?id=1100

Solution :

Upgrade ActiveTouch General Plugin Container to version 106, or
else upgrade Cisco WebEx Extension to version 1.0.5 or later. However,
if you are using both, then you will need to upgrade both.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 96907 ()

Bugtraq ID: 95737

CVE ID: CVE-2017-3823

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now