AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
-
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system of a targeted user.
The Cisco WebEx WRF Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server. The WRF Player can also be manually installed for offline playback after downloading the application from www.webex.com .
If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server. If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com .
Cisco has released software updates that address these vulnerabilities.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20091216-webex.
-
Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WebEx WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are affected. Affected versions of the WRF Player are those prior to the "first fixed" versions, which are shown in the section "Software Versions and Fixes" of this advisory.
To check if a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support -> Downloads section. The version of the WebEx client build will be displayed on the right-hand side of the page under "About Support Center", for example "Client build: 27.11.0.3328."
Cisco recommends that users upgrade to the most current version of the player that is available from http://www.webex.com/downloadplayer.html . However, users can verify the installed version of the WRF Player to determine if it is affected by these vulnerabilities. In order to do so, an administrator must examine the version numbers of the installed files and determine if every version of the files contains the fixed code. Detailed instructions on how to verify the version numbers are provided in the following sections.
Microsoft Windows
There are three dynamically linked libraries (DLLs) that were updated on the Microsoft Windows platform in order to address the vulnerabilities described in this advisory. These files are located in the folder C:\Program Files\WebEx\Record Playback. The version number of the DLLs can be identified by browsing the Record Playback directory in Windows Explorer and right clicking the file name in order to view the properties. The version or details tab of the properties page provides details on the library version. The table below gives the first fixed version number for each DLL. If the installed versions are equal to, or greater then the versions provided in the table, the system is not vulnerable.
Library
T26
T27
atas32.dll
2.5.49.4
2.6.10.1
ataudio.dll
26.2009.6.6
27.2009.6.17
atrpui.dll
921.2008.7.2326
921.2009.6.2027
Mac
There are two package bundles that were updated on the Macintosh platform in order to address the vulnerabilities described in this advisory. These files are located in each users home directory, which can be accessed in ~/Library/Application Support/WebEx Folder/824 for systems connected to servers running T26 and ~/Library/Application Support/WebEx Folder/924 for systems connected to servers running T27. The version can be located by browsing the appropriate folder in the Finder and control-clicking the file name. Once the menu is displayed, select “show package contents” and then double clicking the Info.plist file. The version number is shown at the bottom of the displayed table.
Bundle
T26
T27
ataudio.bundle
7.5.0.5
8.5.0.2
WebEx Player.app
8.0.1.3
10.14.11.7
Linux
There are two shared objects that were updated on the Linux platform in order to address the vulnerabilities described in this advisory. These files are located in the ~/.webex directory. The version number of the shared object can be obtained by performing a directory listing with the ‘ls’ command. The version number is provided after the .so extension. The following table provides the first non-vulnerable version of each object.
Shared Object
T26
T27
ataudio.so
1.0.26.7
1.27.13.1
atrecply
1.0.26.14
1.0.27.12
Products Confirmed Not Vulnerable
The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF) file format is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. The WebEx Recording Format (WRF) is a file format that is used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player is an application that is used to play back and edit WRF files (files with .wrf extensions). The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server (stream playback mode). The WRF Player can also be manually installed after downloading the application from www.webex.com to play back WRF files locally (offline playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF Player. The vulnerabilities may lead to a crash of the WRF Player application, or in some cases, lead to remote code execution.
To exploit a vulnerability, a malicious WRF file would need to be opened by the WRF Player application. An attacker may be able to accomplish this by providing the malicious WRF file directly to users (for example, via e-mail), or by convincing users to visit a malicious website. The vulnerability cannot be triggered by users attending a WebEx meeting.
These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:
-
CVE-2009-2875
-
CVE-2009-2876
-
CVE-2009-2877
-
CVE-2009-2878
-
CVE-2009-2879
-
CVE-2009-2880
-
CVE-2009-2875
-
There are no workarounds for the vulnerabilities disclosed in this advisory.
-
The table below contains "First Fixed" information for the Cisco WebEx WRF Player that is automatically downloaded from a WebEx site when a WRF hosted on a WebEx site is accessed (stream playback mode). Fixes are cumulative within a major release so for example, if release 27.10.1 is fixed, then release 27.10.2 will have the fix too.
Platform
Major Release 26.x
Major Release 27.x
Microsoft Windows
26.49.32; available now except lockdown sites
27.10.x; available now for non-PSO and non-lockdown sites
Mac OS X
26.49.35; available early February 2010
27.11.8; available now for non-PSO and non-lockdown sites
Linux
26.49.35; available early February 2010
27.11.8; available now for non-PSO and non-lockdown sites
PSO and lockdown sites running 27.x will receive the fixes for these vulnerabilities during the next emergency patching (EP) cycle. This advisory will be updated to indicate a specific timeline once one is available.
If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server.
If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com .
-
The Cisco PSIRT is not aware of malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Xiaopeng Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs advisory is available at http://www.fortiguard.com . Cisco would like to thank FortiGuard Labs for reporting these vulnerabilities to us and for working with us on a coordinated disclosure.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2009-December-23
Revised the Vulnerable Products section
Revision 1.0
2009-December-16
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.