cbcvebase.
CVE-2019-1674
published 2019-02-28

CVE-2019-1674: A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local…

PriorityP270high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.76%
95.3th percentile
A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. This vulnerability is fixed in Cisco Webex Meetings Desktop App Release 33.6.6 and 33.9.1 releases. This vulnerability is fixed in Cisco Webex Productivity Tools Release 33.0.7.

Affected

10 ranges
VendorProductVersion rangeFixed in
ciscocisco_webex_meetings_desktop_app>= unspecified < 33.6.633.6.6
ciscocisco_webex_meetings_desktop_app>= unspecified < 33.9.133.9.1
ciscocisco_webex_productivity_tools>= unspecified < 33.0.733.0.7
ciscowebex_meetings< 33.6.633.6.6
ciscowebex_meetings_desktop_app_and_cisco_webex_productivity_tools_update_service
ciscowebex_meetings_online
ciscowebex_meetings_online
ciscowebex_meetings_online
ciscowebex_meetings_online
ciscowebex_productivity_tools>= 32.6.0 < 33.0.733.0.7

Detection & IOCsextracted from sources · hover to see the quote

commandsc start webexservice WebexService 1 989898 %mypath:~0,-1%
filenameptUpdate.xml
filenameptUpdate.7z
filenamevcruntime140.7z
filenamevcruntime140.dll
filenamedll.txt
processptUpdate.exe
processwebexservice
  • Monitor for invocations of the Windows Service Control Manager (sc.exe) starting 'webexservice' with numeric arguments (e.g., '1 989898') followed by a filesystem path, which is the exploit trigger pattern for CVE-2019-1674.
  • Detect use of certutil.exe to decode a file named dll.txt into a .7z archive (vcruntime140.7z), a technique used in the exploit to drop a malicious DLL via the update service.
  • Alert on renaming of ptUpdate.xml and ptUpdate.7z to alternate names (ptUpdate0.xml, ptUpdate0.7z) and replacement with attacker-controlled versions (ptUpdate1.xml, ptUpdate1.7z), indicating manipulation of the Webex update package.
  • Monitor for ptUpdate.exe spawning child processes or executing with SYSTEM privileges, as the exploit causes the Webex update service to run attacker-supplied executables as SYSTEM.
  • In Active Directory environments, monitor for remote invocation of the Webex update service command via OS remote management tools (e.g., WMI, PsExec), as the vulnerability can be exploited remotely in such deployments.
  • ·The exploit XML (ptUpdate1.xml) references a dummy upgrade server path ('$dummy/upgradeserver/client/ptool/33.8.4') and a fake company domain ('myCompany.webex.com'), meaning these values are attacker-configurable placeholders and not fixed IOCs.
  • ·The malicious vcruntime140.dll is delivered as a base64-encoded blob decoded via certutil; the encoded payload will vary per attacker campaign, so the dll.txt filename and certutil decode pattern are more reliable detection anchors than the payload bytes themselves.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_cisco7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.