Cisco has been busy the last two days pushing out a patch and security advisories for a number of its products, including a fix for a remotely exploitable vulnerability in its WebEx Meetings mobile application for Android.
Cisco said the vulnerability affects versions prior to 8.5.1 of the app, and that it is not aware of public exploits.
“A vulnerability in the custom application permissions handling for Cisco WebEx Meetings for Android could allow an unauthenticated, remote attacker to change platform-specific permissions of a custom application,” Cisco said in its advisory published Tuesday.
The Android developer website, however, warns that developers defining custom permissions is often unnecessary and could expose apps to attack. In the case of the WebEx for Android vulnerability, an attacker would need to trick the user to download a malicious app to the device that would exploit the flaw and gain the same permissions as the WebEx app.
“An exploit could allow the attacker to utilize the custom application to silently acquire the same permissions as the WebEx application,” Cisco said. An updated version has already been added to Google Play.
Also on Tuesday, Cisco published three security advisories, warning users of vulnerabilities that have yet to be patched.
The first advisory was for its Unified Computing System (UCS) data center platform, addressing a server-side request forgery vulnerability. The flaw affects UCS version 1.3 and 18.104.22.168. The software platform allows data center managers to unify network, storage and virtualization management into one system.
“The vulnerability is due to improper validation of user-supplied input on the affected system,” Cisco said. “An attacker could exploit this vulnerability by sending the user of the web application a crafted request. If processed, the attacker could gain access and perform unauthorized actions on the targeted system.”
Cisco also warned of a cross-site scripting vulnerability in Cisco Unity Connection, a messaging (email, instant messaging) and voicemail management product. The flaw is in the web-based management interface and remote attackers could use XSS attack against a user’s browser. Version 9.1 is affected, Cisco said.
“The vulnerability is due to insufficient input validation of a user-supplied value,” Cisco said in its advisory. “An attacker could exploit this vulnerability by convincing a user to click on a malicious link. An exploit could allow the attacker to gain access to sensitive information on the targeted system.”
The final advisory addresses a vulnerability in the Cisco Unified SIP Phone 3905 that enables an attacker to remotely cause a denial of service condition and crash the phone.
“The vulnerability is due to a resource limitation of the device. An attacker could exploit this vulnerability by sending large amounts of traffic to the affected device,” Cisco said. “An exploit could cause the device to stop functioning properly, resulting in a DOS condition.”
by Michael Mimoso (Twitter: @mike_mimoso)