Detecting Cisco WebEx Browser Extension Remote Code Execution Vulnerability Using ESM
Long time member but first time blogger. This is my first blog post on here so go easy on me but I hope you will find it useful!
Cisco recently released a security advisory about a RCE vulnerability that affects the Cisco Webex Browser Extension. I won't get into the details of the vulnerability since it is detailed in Cisco's Security Advisory linked below. However, this vulnerability is rated as critical and assigned CVE-2017-3823.
In a nutshell:
"This critical rated vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Meetings Center when they are running on Microsoft Windows."
With those familiar with the vulnerability, a certain magic string is used in the URL ( "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html".) by WebEx to remotely start the meeting if you have the Chrome extension installed. It was discovered that an attacker can invoke this command on any website which would make it possible to remotely execute arbitrary code or commands.
Due to the nature of how the vulnerability can be exploited we can a build a quick rule in ArcSight ESM as a detection mechanism.
1) Create a new rule
2) Name the rule and add a description as a best practice
2) Add either:
a) A filter to the rule that contains your web proxy traffic
b) The specific device vendor and device product of your web proxy
3) RequestUrl CONTAINS cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html
4) Set your aggregation fields as needed
5) In the actions tab, set it to on every event
6) Deploy the rule in Real Time Rules
7) Use the following URL as a test to see if you are vulnerable Cisco WebEx Command Execution Demo (external link). Visiting the webpage also triggers the rule and can create an alert in real time (or pretty close) if anyone attempts to use this attack against you.