New vulnerability (CVE-2019-1674) in Cisco WebEx Meetings

[German]In Cisco WebEx Meetings, a new Elevation of Privilege vulnerability was discovered in the Windows app that allows an attacker to execute commands with system privileges.


Cisco WebEx Meetings is a Web-based solution for video conferencing and online meetings. In addition to the transfer of audio and video data between the conference topics, screen sharing is also possible. However, this solution is always conspicuous by serious vulnerabilities, the most recent being in December 2018.

The vulnerability CVE-2019-1674 affects all Cisco Webex Meetings Desktop App versions between and Earlier versions are probably also affected by this security issue, but have not been verified. The vulnerability was found by SecureAuth researchers.

The OS command injection vulnerability, described by researchers as “bypass to avoid the new controls”, arose when Cisco developers patched a previously discovered DLL hijacking problem (CVE-2018-15442) in the same application. The cause of the CVE-2019-1674 vulnerability is the inability of the Cisco Webex Meetings Desktop App update service to “properly check” the version numbers of new files.

For example, an unprivileged local attacker could exploit this vulnerability by invoking the update service command with a manually crafted “argument and folder”. Within this document, the researchers write:

The vulnerability can be exploited by copying to a local attacker controller folder, the atgpcdec.dll binary and rename it as atgpcdec.7z. Then, a previous version of the ptUpdate.exe file must be compressed as 7z and copied to the controller folder. Also, a malicious dll must be placed in the same folder, named vcruntime140.dll and compressed as vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the controller folder for the update binary (ptUpdate.exe) to treat our files as a normal update. To gain privileges, the attacker must start the service with the command line: sc start webexservice WebexService 1 989898 “attacker-controlled-path”

While the CVE-2019-1674 vulnerability can only be exploited locally, administrators should be aware that the vulnerability can be remotely exploited in Active Directory environments by using the operating system’s remote management tools. The vulnerability was reported to Cisco in early December 2018. Cisco provided Security Advisory and Fix a few hours ago. (via)



This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *