ALERTE - Vulnérabilité dans Cisco WebEx (25.01.17)

Avis et alertes de sécurité au jour le jour (aucune question posée dans ce sous-forum)

Modérateur: Modérateurs et Modératrices

ALERTE - Vulnérabilité dans Cisco WebEx (25.01.17)

Messagede pierre » 27 01 2017

ALERTE - Vulnérabilité dans Cisco WebEx (25 janvier 2017)

Version initiale de l'alerte
25 janvier 2017
Version révisée 1.1
25 janvier 2017
Version révisée 1.2
26 janvier 2017

Sources
Bulletin de sécurité Cisco cisco-sa-20170124-webex du 24 janvier 2017
https://tools.cisco.com/security/center ... 0124-webex

Google Project Zero
https://bugs.chromium.org/p/project-zer ... il?id=1096

1 - Risque(s)
exécution de code arbitraire à distance

2 - Systèmes affectés
Le greffon Cisco WebEx pour Google Chrome, Firefox et Internet Explorer, tous sous Windows

3 - Résumé
Une vulnérabilité a été découverte dans Cisco WebEx. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

4 - Contournement provisoire
La vulnérabilité CVE-2017-3823 peut être exploitée lorsqu'un utilisateur se rend sur un site qui contient un motif particulier dans l'URL.
Comme ce motif peut être contenu dans une iframe qu'il est trivial de cacher, l'exploitation à l'insu de l'utilisateur est tout à fait possible.

Cisco annonce que seuls les systèmes Windows sont impactés par cette vulnérabilité.
Le greffon Cisco WebEx pour Edge sur Windows 10 n'est pas vulnérable.
Un correctif est disponible pour le greffon Cisco WebEx pour Google Chrome dans la version 1.0.5. Si celui-ci ne comble pas complètement la vulnérabilité, il en limite l'impact. En effet, si le motif particulier se trouve dans une URL associée à des domaines autres que *.webex.com ou *.webex.com.cn, l'utilisateur doit accepter explicitement l'exécution de code. Cependant, cela ne protège pas l'utilisateur si les sites susnommés sont vulnérables à des failles de type injection de code indirecte à distance (XSS).

Dans l'attente de correctifs de sécurité, CISCO recommande la désinstallation de tous les logiciels Cisco Webex sur les systèmes vulnérables en utilisant "Meeting Services Removal Tool", qui est disponible depuis https://help.webex.com/docs/DOC-2672

Meeting Services Removal Tool

Description
This executable manually removes all WebEx related folders and files (including
AA/RA/NBR) from your system. This utility should be ran after removing all WebEx
software from the Control Panel.

Supported OS/Version
Windows 2K/XP/Vista/7

Supported Cisco WebEx Product Version
All WBS versions

Instructions
Open the downloaded file and double-click on it then follow the prompts. If using Windows
Vista or Windows 7, you must right-click on the file and select Run as administrator.


Lorsque cela n'est pas possible, CISCO recommande, a minima, l'utilisation du greffon Cisco Webex par le biais d'un navigateur Google Chrome à jour.

5 - Documentation
Bulletin de sécurité Cisco cisco-sa-20170124-webex du 24 janvier 2017
https://tools.cisco.com/security/center ... 0124-webex

Google Project Zero
https://bugs.chromium.org/p/project-zer ... il?id=1096

Référence CVE CVE-2017-3823
http://cve.mitre.org/cgi-bin/cvename.cg ... -2017-3823
Avatar de l’utilisateur
pierre
 
Messages: 21484
Inscription: 20 05 2002
Localisation: Ici et maintenant

Re: ALERTE - Vulnérabilité dans Cisco WebEx (25.01.17)

Messagede pierre » 31 01 2017

Mise à jour de l'alerte
31.01.2017

Cloture de l'alerte

Extrait du bulletin mis à jour :

Affected Products
  • Vulnerable Products
    This vulnerability affects Cisco WebEx extensions and plugins for Windows when running on most supported browsers. The affected browsers are Google Chrome, Mozilla Firefox, and Internet Explorer for Windows.

    The following versions of the Cisco WebEx browser extensions are affected by the vulnerability described in this document:

    • Versions prior to 1.0.7 of the Cisco WebEx Extension on Google Chrome
    • Versions prior to 106 of the ActiveTouch General Plugin Container on Mozilla Firefox
    • Versions prior to 10031.6.2017.0126 of the GpcContainer Class ActiveX control file on Internet Explorer
    Customers can determine which versions of the Cisco WebEx extensions are being utilized by following the steps listed below:

    Google Chrome
    Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017 and contains a fix for this vulnerability. Chrome users can ensure they are using the fixed version of the Cisco WebEx Extension for Google Chrome by doing the following:

    1. In Chrome, open the Settings page
    2. Click Extensions
    The extension version is listed next to the Cisco WebEx Extension name.

    The Cisco WebEx Extension for Google Chrome identification string, which organizations can use to identify hosts that contain the plugin, is the following:

    Jlhmfgmfgeifomenelglieieghnjghma


    Mozilla Firefox
    Version 106 of the ActiveTouch General Plugin Container for Mozilla Firefox was released on January 28, 2017 and contains a fix for this vulnerability. Mozilla users can ensure they are using the fixed version of the ActiveTouch General Plugin Container for Mozilla by:

    1. Clicking the menu button (three horizontal bars on the upper right of the application) and selecting Add-ons
    2. In the Add-ons Manager tab, click the Plugins panel
    3. Locate the ActiveTouch General Plugin Container in the list of Plugins and click on the More link to obtain the version information
    The Cisco WebEx NPAPI Plugin for Mozilla Firefox identification string, which organizations can use to identify hosts that contain the plugin, is the following:

    atgpccontrol


    Microsoft Internet Explorer
    Version 10031.6.2017.0126 of the GpcContainer Class for Microsoft Internet Explorer was released on January 28, 2017 and contains a fix for this vulnerability. Internet Explorer users can ensure they are using the fixed version of the GpcContainer Class for Internet Explorer by:

    1. In Internet Explorer, select the Tools button
    2. Select Manage add-ons
    3. Select All add-ons from the Show drop-down menu
    4. Select the GpcContainer Class add-on under Cisco WebEx LLC

    The version number is displayed at the bottom of the Manage Add-ons window.

    The Cisco WebEx ActiveX Plugin for Microsoft Internet Explorer Class ID (CLSID), which organizations can use to identify hosts that contain the plugin, is the following:

    E06E2E99-0AA1-11D4-ABA6-0060082AA75C




    Products Confirmed Not Vulnerable
    No other Cisco products are currently known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco WebEx browser extensions for Mac or Linux, or Cisco WebEx on Microsoft Edge.


   Workarounds

  • There are no workarounds that address this vulnerability. However, administrators and users of Windows 10 systems may utilize Microsoft Edge to join and participate in WebEx sessions as Microsoft Edge is not affected by this vulnerability. Additionally, administrators and users can remove all WebEx software from a Windows system by using the Meeting Services Removal Tool, which is available from https://help.webex.com/docs/DOC-2672.

    Customers who currently have web proxies or web gateways in their environment can create a URL filtering policy to block web requests matching the following condition:


    URL requests containing the string pattern "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"
    and
    URL hostname not matching the known customer's WebEx site URL (e.g. company.webex.com in https://company.webex.com/cwcsf-nativem ... c570b.html)



Fixed Software

  • Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
    http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
    http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.



    Fixed Releases

    For the latest information about the following products, please consult the Cisco bug ID provided:


    Browser Plugin Updates

    Google Chrome
    Cisco WebEx Extension for Google Chrome version 1.0.7 was released on January 26, 2017 and contains a fix for this vulnerability. Chrome users can ensure they are using the fixed version of the Cisco WebEx Extension for Google Chrome by doing the following:

    1. In Chrome, open the Settings page
    2. Click Extensions
    3. Select the Developer mode checkbox
    4. Click Update extensions now
    5. Restart the Chrome browser

    Microsoft Internet Explorer and Mozilla Firefox
    Cisco released updated plugins for Microsoft Internet Explorer and Mozilla Firefox on January 28, 2017 that resolve this vulnerability. The plugins are available as part of the Cisco WebEx Client packages associated with each WebEx product, and will be available to download after a WebEx site has been upgraded to a fixed version. Upgraded clients are available from the Downloads section of each site after an upgrade has been performed. Users that connect to an upgraded site without the updated client software may be prompted to perform an online upgrade.

    Customers may check that the browser plugin upgrade was successful by using the following procedures for Microsoft Internet Explorer and Mozilla Firefox:

    Microsoft Internet Explorer
    Version 10031.6.2017.0126 of the GpcContainer Class for Microsoft Internet Explorer was released on January 28, 2017 and contains a fix for this vulnerability. Internet Explorer users can ensure they are using the first fixed or later version of the GpcContainer Class for Internet Explorer by:

    1. In Internet Explorer, select the Tools button
    2. Select Manage add-ons
    3. Select All add-ons from the Show drop-down menu
    4. Select the GpcContainer Class add-on under Cisco WebEx LLC
    The version number is displayed at the bottom of the Manage Add-ons window.

    Mozilla Firefox
    Version 106 of the ActiveTouch General Plugin Container (10031.6.2017.127) for Mozilla Firefox was released on January 28, 2017 and contains a fix for this vulnerability. Mozilla users can ensure they are using the first fixed or later version of the ActiveTouch General Plugin Container for Mozilla by:

    1. Clicking the menu button (three horizontal bars on the upper right of the application) and selecting Add-ons
    2. In the Add-ons Manager tab, click the Plugins panel
    3. Locate the ActiveTouch General Plugin Container in the list of Plugins and click on the More link to obtain the version information

    Validating Cisco WebEx Meeting Center Product Upgrades

    Cisco has upgraded all unlocked customers of the following products to a fixed version:

    • Cisco WebEx Meeting Center
    • Cisco WebEx Event Center
    • Cisco WebEx Training Center
    • Cisco WebEx Support Center
    Customers utilizing a locked version of a Cisco WebEx Meeting Center product will need to request an upgrade with their Cisco service representative (CSR) or Cisco partner.

    Current WebEx customers can confirm that their site has received updated software by reviewing the Application Version information found in the Support section of their WebEx page. To view this information, please perform the followings steps:
    1. Sign in to your WebEx account
    2. Click the Meeting Center tab
    3. Under Support, click Downloads
    The Application Version is displayed on the right side of the screen under the About Meeting Center heading.


    Cisco WebEx Software Major Release Fixed Application Version
    T31.10.231.10.2.5 or later
    T31.9.831.9.8.5 or later
    T30.16.230.16.2.10007 E or later
    T30.15.530.15.5.10009 E or later
    T30.14.230.14.2.10003 E or later
    T30.12.430.12.4.10004 E or later
    T30.9.230.9.2.10010 E or later
    T30.6.630.6.6.10006 E or later
    T30.4.430.4.4.10003 E or later
    T29.13.12129.13.121.10011 E or later
    T29.13.9429.13.94.10005 E or later
    T29.13.7329.13.72.10007 E or later
    T29.13.5629.13.56.10008 E or later
    T29.13.4229.13.42.10008 E or later
    T29.13.3529.13.25.10005 E or later
    T29.13.1429.13.14.10012 E or later


    Note: The clients for all licensed features of a Cisco WebEx product must be upgraded to ensure compatibility with the deployed site application version. Upgrading a single client will resolve the vulnerability documented by CVE-2017-3823. The following clients are available:

    • Cisco WebEx Meeting Center Client
    • Cisco WebEx Event Center Client
    • Cisco WebEx Training Center Client
    • Cisco WebEx Support Center Client
    • Cisco WebEx Access Anywhere Client
    • Cisco WebEx Remote Access Client

    Cisco WebEx Meetings Server
    Customers who have deployed Cisco WebEx Meetings Server, the onsite Cisco WebEx offering, can download updated software at https://software.cisco.com/download/navigator.html?mdfid=282628019&flowid=76922 or choose the following options from the Cisco Download Software page: Products > Conferencing > Web Conferencing > WebEx Meetings Server

    Cisco WebEx Meetings Server version 2.0 customers should migrate to Cisco WebEx Meetings Server 2.5 or later. The following releases of Cisco WebEx Meetings Server have been updated to address this vulnerability:

    • WebEx Meetings Server 2.5MR6 Patch 4
    • WebEx Meetings Server 2.6MR3 Patch 2
    • WebEx Meetings Server 2.7MR2 Patch 1

    Cisco WebEx Meetings Server client packages will be available as part of the upgraded solution.


Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.
Avatar de l’utilisateur
pierre
 
Messages: 21484
Inscription: 20 05 2002
Localisation: Ici et maintenant

Re: ALERTE - Vulnérabilité dans Cisco WebEx (25.01.17)

Messagede pierre » 31 01 2017

Cloture de l'alerte

L'état des révisions passe en version finale au 31.01.17

Revision History

  • VersionDescriptionSectionStatusDate
    1.8Added additional plugin identification information for Microsoft Internet Explorer. Added Cisco WebEx Productivity Tools to the list of products confirmed not affected.Affected Products, Fixed SoftwareFinal2017-January-31
    1.7Added additional plugin identification information for affected browsers in Affected Products section. Additional clarifying information added to Fixed Software section. Added information about upgrading all clients to be compatible with the deployed site application version. Added product status information for Cisco WebEx Meetings Server 2.0 customers.Affected Products, Fixed SoftwareFinal2017-January-31
    1.6Updated Affected Products and Fixed Software with correct version information for Internet Explorer.Affected Products, Fixed SoftwareFinal2017-January-30
    1.5Updated Fixed Software table of fixed application versions for WebEx sites and customer premises installations.Fixed SoftwareFinal2017-January-29
    1.4Updated Summary to reflect updates to all browser extensions. Updated Vulnerable Products to reflect updates to Firefox and Internet Explorer browser extension releases. Updated Fixed Software to include Firefox and Internet Explorer steps to confirm fixed software installation and table of fixed application versions for WebEx sites.Summary, Vulnerable Products, Fixed SoftwareInterim2017-January-28
    1.3Updated summary to include information about Firefox. Updated Vulnerable Products to include additional details about browser extension identification.Summary, Vulnerable Products, Products Confirmed Not Vulnerable, Fixed SoftwareInterim2017-January-27
    1.2Updated summary to include Cisco WebEx Extension update. Updated Fixed Software to reflect Cisco WebEx Extension update for Chrome being available and added Cisco WebEx Meetings bug. Updated Vulnerable Products to no longer reflect Chrome. Updated Products Confirmed Not Vulnerable to reflect Chrome.Summary, Vulnerable Products, Products Confirmed Not Vulnerable, Fixed SoftwareInterim2017-January-26
    1.1Updated details to better explain the vulnerability. Updated fixed software information to indicate that No Fixes are currently available. Previous release of the WebEx Plugin for Chrome version 1.0.5 was incomplete.Summary, Vulnerable Products, Fixed SoftwareInterim2017-January-25
    1.0Initial public release.Interim2017-January-24

Avatar de l’utilisateur
pierre
 
Messages: 21484
Inscription: 20 05 2002
Localisation: Ici et maintenant


Retourner vers Alertes

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 4 invités