Critical RCE Bug in Cisco WebEx Browser Extensions Faces ‘Ongoing Exploitation’

Critical RCE Bug in Cisco WebEx Browser Extensions Faces ‘Ongoing Exploitation’

A critical vulnerability in WebEx browser extensions that could allow unauthenticated remote code-execution (RCE) on targeted machines is being actively exploited in the wild.

The news comes just days after Cisco issued a flurry of 24 different patches for its XE operating system and warned of an incomplete fix for two small business routers (RV320 and RV325).

WebEx is Cisco’s widely used conferencing platform, which takes a cloud-based approach to an on-demand - and conferencing. Browser extensions make it easier for users to join meetings and collaborate.


In exploiting this latest bug, attackers could execute arbitrary code with the privileges of the affected browser on Windows PCs that have specific browser extensions installed. The vulnerable extensions are for Cisco WebEx Meetings Server and Cisco WebEx Centers (Meeting Center, Event Center, Training Center and Support Center), according to an advisory.

“The vulnerability is due to a design defect in an application programming interface (API) response parser within the plugin,” Cisco said in the alert, issued Thursday.

The issue (CVE-2017-3823) can be easily exploited as well: An attacker needs only to convince an affected user to visit a booby-trapped web page or follow an attacker-supplied link with an affected browser. It appears that’s what’s happening now, according to the advisory.

The vulnerability was discovered in 2017 by Tavis Ormandy of Google, and Cisco subsequently released software updates for Google Chrome, and Internet Explorer, so users who haven’t should update immediately.

Versions prior to 1.0.7 of the Cisco WebEx Extension on Google Chrome, prior to 106 of the ActiveTouch General Plugin on Firefox, prior to the first fixed version of the GpcContainer Class ActiveX control plugin on Internet Explorer, and prior to of the Download Manager ActiveX control plugin on Internet Explorer are affected.

Also on Thursday, Cisco updated its warning about a vulnerability in the web-based management interface of two small-business routers. The Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers have a bug that could allow an unauthenticated, remote attacker to retrieve sensitive information. Specifically, an attacker could download a ’s configuration or detailed diagnostic information, which could, in turn, be used to compromise it.

“The vulnerability is due to improper access controls for URLs,” Cisco explained in its advisory for the vulnerability. “An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs.”

The initial fix is incomplete, Cisco warned, adding that it’s working on updating its firmware. However, it subsequently added a mitigation recommendation to the mix:

“If the Remote Management feature is enabled, Cisco recommends disabling it to reduce exposure,” Cisco said. “The feature is under Firewall > General and is disabled by default. This will disable the web-based management interface on the WAN IP address, which is reachable via the WAN ports. The web-based management interface will continue to be available on the LAN IP address, which is reachable via the LAN ports.”

The issue affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware releases and later.


Leave a Reply