Highlighted
tkachouba Trusted Contributor.
Trusted Contributor.
592 views

Detecting Cisco WebEx Browser Extension Remote Code Execution Vulnerability Using ESM

Long time member but first time blogger.  This is my first blog post on here so go easy on me but I hope you will find it useful!

Cisco recently released a security advisory about a RCE vulnerability that affects the Cisco Webex Browser Extension.  I won't get into the details of the vulnerability since it is detailed in Cisco's Security Advisory linked below.  However, this vulnerability is rated as critical and assigned CVE-2017-3823.

Cisco WebEx Browser Extension Remote Code Execution Vulnerability

In a nutshell:

"This critical rated vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Meetings Center when they are running on Microsoft Windows."

With those familiar with the vulnerability, a certain magic string is used in the URL ( "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html".) by WebEx to remotely start the meeting if you have the Chrome extension installed.  It was discovered that an attacker can invoke this command on any website which would make it possible to remotely execute arbitrary code or commands.

Due to the nature of how the vulnerability can be exploited we can a build a quick rule in ArcSight ESM as a detection mechanism.

1) Create a new rule

2) Name the rule and add a description as a best practice

2) Add either:

     a) A filter to the rule that contains your web proxy traffic

     b) The specific device vendor and device product of your web proxy

3) RequestUrl CONTAINS cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html

4) Set your aggregation fields as needed

5) In the actions tab, set it to on every event

6) Deploy the rule in Real Time Rules

7) Use the following URL as a test to see if you are vulnerable Cisco WebEx Command Execution Demo (external link).  Visiting the webpage also triggers the rule and can create an alert in real time (or pretty close) if anyone attempts to use this attack against you. 

Thanks,

Taras Kachouba

3 Replies
szillmi
Member.

Re: Detecting Cisco WebEx Browser Extension Remote Code Execution Vulnerability Using ESM

Nice job on this! And great detective control!

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: Detecting Cisco WebEx Browser Extension Remote Code Execution Vulnerability Using ESM

Great job! Thanks for sharing!

0 Likes
osukhera Respected Contributor.
Respected Contributor.

Re: Detecting Cisco WebEx Browser Extension Remote Code Execution Vulnerability Using ESM

Good job Taras!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.