Critical Security Flaws Reported in Cisco WebEx Meetings Server

By | September 17, 2016


Security researchers have reported some critical security flaws in WebEx Meeting Server. Using one security flaw (CVE-2016-1482), An attacker can exploit it to execute arbitrary commands with elevated privileges by injecting the commands into existing application scripts running on a targeted device located in a DMZ (demilitarized) zone. Using second security flaw (CVE-2016-1483), An unauthenticated attacker to cause a targeted device to enter a DoS condition by repeatedly attempting to access a specific service.

Cisco has released software updates for its WebEx Meetings Server product to address a couple of critical and high severity vulnerabilities that can be exploited remotely for arbitrary command execution and denial-of-service (DoS) attacks.

Both the vulnerabilities are affecting WebEx Meetings Server version 2.6 and they have been addressed with the release of version 2.7. Cisco says it’s unaware of any instances where these flaws have been exploited for malicious purposes.

Earlier this month, Cisco informed customers that a high severity vulnerability in its ACE30 Application Control Engine module and ACE 4700 series Application Control Engine appliances can be exploited for DoS attacks.

The company updated its initial advisory on Thursday to say that the issue will be resolved with the release of version A5(3.5), which is only expected to become available by November 30. What makes this vulnerability interesting is the fact that while it hasn’t been exploited for malicious purposes, it was triggered in some cases by a research project that scans the Internet for SSL/TLS servers.

Affected Products

All software versions running on the Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine prior to A5(3.5) are affected by this vulnerability.

Products Confirmed Not Vulnerable

  • Cisco has confirmed that this vulnerability does not affect the following Cisco products:

    • Cisco ACE XML Gateway
    • Cisco ACE Web Application Firewall
    • Cisco ACE GSS 4400 Series Global Site Selector Appliances
    • Cisco ACE10 Application Control Engine Module
    • Cisco ACE20 Application Control Engine Module

    No other Cisco products are currently known to be affected by this vulnerability.

Subscribe for latest security updates