Details of VAR-201711-0380

ID

VAR-201711-0380

CVE

CVE-2017-12369

TITLE

Cisco WebEx Network Recording Player for Advanced Recording Format and WebEx Recording Format Vulnerable to out-of-bounds reading

Trust: 0.8

sources: JVNDB: JVNDB-2017-010392

DESCRIPTION

A "Cisco WebEx Network Recording Player Out-of-Bounds Vulnerability" exists in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files. A remote attacker could exploit this by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file. Exploitation of this could cause an affected player to crash and, in some cases, could allow arbitrary code execution on the system of a targeted user. Cisco Bug IDs: CSCve30208, CSCve30214, CSCve30268. Vendors have confirmed this vulnerability Bug ID CSCve30208 , CSCve30214 and CSCve30268 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple Cisco WebEx Products are prone to the following security vulnerabilities: 1. Multiple remote code-execution vulnerabilities 2. Failed exploit attempts will likely result in denial-of-service conditions. Cisco WebEx Business Suite (WBS30) client and so on are the client software of Cisco's video conferencing solution. The following products and versions are affected: Cisco WebEx Business Suite (WBS30) client builds prior to T30.20; WebEx Business Suite (WBS31) client builds prior to T31.14.1; WebEx Business Suite (WBS32) client builds prior to T32.2 versions before WebEx Meetings with client builds prior to T31.14; versions prior to WebEx Meeting Server builds 2.7MR3

Trust: 1.98

sources: NVD: CVE-2017-12369 // JVNDB: JVNDB-2017-010392 // BID: 102017 // VULHUB: VHN-102884

AFFECTED PRODUCTS

vendor:	cisco	model:	webex meetings	scope:	eq	version:	t32	Trust: 1.6
vendor:	cisco	model:	webex meetings	scope:	eq	version:	t30	Trust: 1.6
vendor:	cisco	model:	webex meetings	scope:	eq	version:	t29	Trust: 1.6
vendor:	cisco	model:	webex meetings	scope:	eq	version:	t31	Trust: 1.6
vendor:	cisco	model:	webex business suite client	scope:	eq	version:	0	Trust: 0.9
vendor:	cisco	model:	webex meetings	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	webex meetings client	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	webex meeting server	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	webex business suite client t31.10	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	webex business suite client t30.17	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	webex meetings client t31.14	scope:	ne	version:	-	Trust: 0.3
vendor:	cisco	model:	webex meeting server 2.7mr3	scope:	ne	version:	-	Trust: 0.3
vendor:	cisco	model:	webex business suite client t32.2	scope:	ne	version:	-	Trust: 0.3
vendor:	cisco	model:	webex business suite client t31.14.1	scope:	ne	version:	-	Trust: 0.3
vendor:	cisco	model:	webex business suite client t30.20	scope:	ne	version:	-	Trust: 0.3

sources: BID: 102017 // JVNDB: JVNDB-2017-010392 // CNNVD: CNNVD-201711-1142 // NVD: CVE-2017-12369

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12369
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-12369
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201711-1142
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-102884
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12369
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-102884
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12369
baseSeverity:	CRITICAL
baseScore:	9.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	6.0
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-102884 // JVNDB: JVNDB-2017-010392 // CNNVD: CNNVD-201711-1142 // NVD: CVE-2017-12369

PROBLEMTYPE DATA

problemtype:	CWE-125	Trust: 1.9
problemtype:	CWE-119	Trust: 1.0

sources: VULHUB: VHN-102884 // JVNDB: JVNDB-2017-010392 // NVD: CVE-2017-12369

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201711-1142

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201711-1142

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-010392

PATCH

title:	cisco-sa-20171129-webex-players	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex-players	Trust: 0.8
title:	Multiple Cisco product WebEx Recording Format Player and Advanced Recording Format Player Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76797	Trust: 0.6

sources: JVNDB: JVNDB-2017-010392 // CNNVD: CNNVD-201711-1142

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12369	Trust: 2.9
db:	BID	id:	102017	Trust: 2.0
db:	SECTRACK	id:	1039895	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-010392	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-1142	Trust: 0.7
db:	VULHUB	id:	VHN-102884	Trust: 0.1
db:	PACKETSTORM	id:	145176	Trust: 0.1

sources: VULHUB: VHN-102884 // BID: 102017 // JVNDB: JVNDB-2017-010392 // PACKETSTORM: 145176 // CNNVD: CNNVD-201711-1142 // NVD: CVE-2017-12369

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171129-webex-players	Trust: 2.0
url:	http://www.securityfocus.com/bid/102017	Trust: 1.7
url:	http://www.securitytracker.com/id/1039895	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12369	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12369	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12372	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12367	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12368	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12370	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12371	Trust: 0.1

sources: VULHUB: VHN-102884 // BID: 102017 // JVNDB: JVNDB-2017-010392 // PACKETSTORM: 145176 // CNNVD: CNNVD-201711-1142 // NVD: CVE-2017-12369

CREDITS

Yihan Lian, Fortinet, and Trend Micro.

Trust: 0.3

sources: BID: 102017

SOURCES

db:	VULHUB	id:	VHN-102884
db:	BID	id:	102017
db:	JVNDB	id:	JVNDB-2017-010392
db:	PACKETSTORM	id:	145176
db:	CNNVD	id:	CNNVD-201711-1142
db:	NVD	id:	CVE-2017-12369

LAST UPDATE DATE

2024-11-23T22:22:21.764000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-102884	date:	2019-10-09T00:00:00
db:	BID	id:	102017	date:	2017-12-19T22:01:00
db:	JVNDB	id:	JVNDB-2017-010392	date:	2017-12-13T00:00:00
db:	CNNVD	id:	CNNVD-201711-1142	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12369	date:	2024-11-21T03:09:24.123

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-102884	date:	2017-11-30T00:00:00
db:	BID	id:	102017	date:	2017-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-010392	date:	2017-12-13T00:00:00
db:	PACKETSTORM	id:	145176	date:	2017-12-01T03:05:38
db:	CNNVD	id:	CNNVD-201711-1142	date:	2017-11-30T00:00:00
db:	NVD	id:	CVE-2017-12369	date:	2017-11-30T09:29:01.620