CVE-2019-1674
published 2019-02-28CVE-2019-1674: A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local…
PriorityP270high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.76%
95.3th percentile
A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. This vulnerability is fixed in Cisco Webex Meetings Desktop App Release 33.6.6 and 33.9.1 releases. This vulnerability is fixed in Cisco Webex Productivity Tools Release 33.0.7.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_webex_meetings_desktop_app | >= unspecified < 33.6.6 | 33.6.6 |
| cisco | cisco_webex_meetings_desktop_app | >= unspecified < 33.9.1 | 33.9.1 |
| cisco | cisco_webex_productivity_tools | >= unspecified < 33.0.7 | 33.0.7 |
| cisco | webex_meetings | < 33.6.6 | 33.6.6 |
| cisco | webex_meetings_desktop_app_and_cisco_webex_productivity_tools_update_service | — | — |
| cisco | webex_meetings_online | — | — |
| cisco | webex_meetings_online | — | — |
| cisco | webex_meetings_online | — | — |
| cisco | webex_meetings_online | — | — |
| cisco | webex_productivity_tools | >= 32.6.0 < 33.0.7 | 33.0.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for invocations of the Windows Service Control Manager (sc.exe) starting 'webexservice' with numeric arguments (e.g., '1 989898') followed by a filesystem path, which is the exploit trigger pattern for CVE-2019-1674. ↗
- →Detect use of certutil.exe to decode a file named dll.txt into a .7z archive (vcruntime140.7z), a technique used in the exploit to drop a malicious DLL via the update service. ↗
- →Alert on renaming of ptUpdate.xml and ptUpdate.7z to alternate names (ptUpdate0.xml, ptUpdate0.7z) and replacement with attacker-controlled versions (ptUpdate1.xml, ptUpdate1.7z), indicating manipulation of the Webex update package. ↗
- →Monitor for ptUpdate.exe spawning child processes or executing with SYSTEM privileges, as the exploit causes the Webex update service to run attacker-supplied executables as SYSTEM. ↗
- →In Active Directory environments, monitor for remote invocation of the Webex update service command via OS remote management tools (e.g., WMI, PsExec), as the vulnerability can be exploited remotely in such deployments. ↗
- ·The exploit XML (ptUpdate1.xml) references a dummy upgrade server path ('$dummy/upgradeserver/client/ptool/33.8.4') and a fake company domain ('myCompany.webex.com'), meaning these values are attacker-configurable placeholders and not fixed IOCs. ↗
- ·The malicious vcruntime140.dll is delivered as a base64-encoded blob decoded via certutil; the encoded payload will vary per attacker campaign, so the dll.txt filename and certutil decode pattern are more reliable detection anchors than the payload bytes themselves. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_cisco7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability
vendor_cisco·2019-02-27·CVSS 7.8
CVE-2019-1674 [HIGH] CWE-78 Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability
Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability
A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user.
The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.
While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerabili
Cisco
Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability
vendor_cisco·CVSS 3.0
CVE-2019-1674 Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability
CVE-2019-1674: Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability
A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the
GHSA
GHSA-r6w6-ww22-j2ff: A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated,
ghsa_unreviewed·2022-05-13
CVE-2019-1674 [HIGH] CWE-78 GHSA-r6w6-ww22-j2ff: A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated,
A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. This vulnerability is fixed
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/107184https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinjhttps://www.exploit-db.com/exploits/46479/http://www.securityfocus.com/bid/107184https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinjhttps://www.exploit-db.com/exploits/46479/
2019-02-28
Published