|
Update: Version 1.0.5 of the Google Chrome WebEx plugin, released this morning, fixes this issue. The Google 0-Day project announced a critical remote code execution vulnerability in Cisco's WebEx plugin for Google Chrome. This vulnerability allows a remote attacker to execute arbitrary code on the victim's system by delivering it to the WebEx plugin via a special "secret" URL. The secret pattern: cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html Google set up a test page and published a detailed report about how this vulnerability can be used to execute code [1]. Note that version 1.0.3 of the plugin, which was released on Sunday (Jan 22nd), appears to be still vulnerable. At this point, it is probably best to uninstall the plugin and use a different browser for WebEx (of course, this issue may affect plugins for other browsers as well). An attack would be invisible to the user if executed "right". The user does not have to willingly join a WebEx meeting to exploit this vulnerability.
[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1096 --- |
Johannes 4478 Posts ISC Handler Jan 24th 2017 |
| Thread locked Subscribe |
Jan 24th 2017 5 years ago |
|
Cisco WebEx Extension is in the Chrome store now, version 1.05 dated 24 Jan 17. I can't find release notes so I don't know if it has been patched.
|
John 88 Posts |
| Quote |
Jan 24th 2017 5 years ago |
|
For environments served by a web proxy, is blocking URL matching *cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html effective at mitigating until individual plugins can be removed?
|
Anonymous |
| Quote |
Jan 24th 2017 5 years ago |
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex
|
John 88 Posts |
| Quote |
Jan 24th 2017 5 years ago |
|
Still issues with 1.0.5 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1096#c38
Issue also affects IE and Firefox per https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex Mozilla are proactively disabling the extension in Firefox - https://bugzilla.mozilla.org/show_bug.cgi?id=1333225 |
Anonymous |
| Quote |
Jan 25th 2017 5 years ago |
|
Tavis Ormandy has stated that 1.0.5 is still open to a bypass..
"issue 1100 is a bypass that still allows code execution on 1.0.5. I have reported it to Cisco PSIRT. The issue requires some details that maybe considered new vulnerabilities, so the details are not available here until a patch is available." Could someone please share info on how to disable this extension in a corporate environment? Must be open to re-enable once the new version is available. :) EDIT: The information at https://www.chromium.org/administrators/policy-list-3#ExtensionInstallBlacklist can be used to achieve this. But is there a nice write-up of "this is how we manage Chrome in our Corporate Environment that you can point me to? :) Thanks dotBATman |
dotBATman 70 Posts |
| Quote |
Jan 25th 2017 5 years ago |
|
Tavis said updating Chrome would trigger an update of the plugins but another poster on the Project Zero page says he did that and the old extensions remained. So forcing an update of Chrome isn't going to update the Webex plugin?
|
JeffSoh 31 Posts |
| Quote |
Jan 25th 2017 5 years ago |
|
You can remove (Chrome) / disable (IE) the Webex extensions with one GPO as follows:
1) Obtain the Chrome ADMX template here: https://support.google.com/chrome/a/answer/187202?hl=en 2) Install the template: https://support.microsoft.com/en-us/help/929841/how-to-create-the-central-store-for-group-policy-administrative-template-files-in-windows-vista 3) Create a GPO and edit it 4) For Chrome: Computer Configuration > Policies > Admin Templates > Google > Google Chrome > Extensions > Configure extensions installation blacklist 4a) Set to Enabled 4b) In Show, add the value: jlhmfgmfgeifomenelglieieghnjghma Note: this string is found from the URL of the Webex extension on Chrome web store. 5) For IE: Computer Configuration > Policies > Admin Templates >Windows Cmoponents > Internet Explorer > Security Features > Add-on Management > Add-on List 6a) Set to Enabled 6b) In Show, add the Value name: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} 6c) Set the Value to 0 (this forces disable) Note: this value name is the Class Id of the Webex add-on "GpcContainer Class" by "Cisco Webex LLC". See: https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy?f=255&MSPPError=-2147217396 7) Save the GPO and link to the desired OUs. Allow time to propagate or use "gpupdate /force" to test right away. NOTE: I only noticed the add-on in IE being disabled after closing and reopening IE. |
T 31 Posts |
| Quote |
Jan 25th 2017 5 years ago |
|
Chrome 56.0.2924.76 includes Cisco WebEx Extension 1.0.6, released 25JAN17. Do we know if this resolves the issue?
|
Anonymous |
| Quote |
Jan 26th 2017 5 years ago |
|
1.0.7 is out and appears to be the fixed version.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex |
JeffSoh 31 Posts |
| Quote |
Jan 26th 2017 5 years ago |
|
Thanks, T!
This is very useful - Let's hope people find and use this. And it will of course work for other plug-ins as well! Just replace the ID. |
dotBATman 70 Posts |
| Quote |
Jan 29th 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
