Cisco WebEx for Internet Explorer RCE (cisco-sa-20170124-webex)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A browser extension installed on the remote host is affected by a
remote code execution vulnerability.

Description :

The Cisco WebEx Extension for Internet Explorer installed on the
remote host is affected by a remote code execution vulnerability due
to a crafted pattern that permits any URL utilizing it to
automatically use native messaging to access sensitive functionality
provided by the extension. An unauthenticated, remote attacker can
exploit this vulnerability to execute arbitrary code by convincing a
user to visit a web page that contains this pattern and starting a
WebEx session.

See also :

http://www.nessus.org/u?068aee48
https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
https://bugs.chromium.org/p/project-zero/issues/detail?id=1100

Solution :

Upgrade to Cisco WebEx Extension version 2.1.0.10 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 96908 ()

Bugtraq ID: 95737

CVE ID: CVE-2017-3823

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now