2 min

The company advised of an arbitrary code execution vulnerability in Webex Meetings Desktop App

Cisco has issued an advisory warning that the bug in Webex Meetings Desktop App for Windows has created a “high-severity” security flaw. Indeed, Cisco has given the bug, tracked as CVE-2020-3588, a severity rating of 7.3 out of a possible 10.

The vulnerability occurs in virtualization channel messaging in Cisco Webex Meetings Desktop App for Windows. According to Cisco, this could allow a local attacker to execute arbitrary code on a targeted system. The vulnerability occurs when the app is deployed in a virtual desktop environment using virtual environment optimization.

Bug could allow hackers access to the target user’s OS

According to Cisco, the security flaw is due to improper validation of messages processed by the Cisco Webex Meetings Desktop App. This means a local attacker with limited privileges could exploit the vulnerability by sending malicious messages to the affected software via the virtualization channel interface.

A successful exploit could allow the attacker to modify the underlying operating system configuration, warns Cisco. This in turn could allow the attacker to execute arbitrary code with the privileges of a targeted user.

Now the good news …

The security threat is sever, however it can only be exploited under certain circumstances.

Firstly, Cisco notes that hackers can exploit this particular vulnerability only when Cisco Webex Meetings Desktop App is in a virtual desktop environment. In addition, the app needs to be a hosted virtual desktop (HVD) and configured to use the Cisco Webex Meetings virtual desktop plug-in for thin clients.

Cisco has fixed the bug in Webex Meetings Desktop App for Windows releases 40.6.9 and later and 40.8.9 and later. The issue was due to the desktop app improperly validating messages.

More good news: Cisco’s Product Security Incident Response Team (PSIRT) has not observed any attacks in the wild. Cisco found the bug during internal testing. 

There are currently no workarounds that address this particular vulnerability. However, Cisco has released software updates that address the problem. The company urges all Windows 10 users to apply that patch as soon as possible.

Tip: Cisco needs time to make Intent-Based Networking successful