ID

VAR-201901-0354


CVE

CVE-2019-1641


TITLE

Cisco Webex Network Recording Player and Cisco Webex Player Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-001452

DESCRIPTION

A vulnerability in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exist because the affected software improperly validates Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file via a link or email attachment and persuading the user to open the file with the affected software. Successful exploitation could allow the attacker to execute arbitrary code on the affected system. These issues are being tracked by Cisco Bug IDs CSCvm65148, CSCvm65207, CSCvm65741, CSCvm65747, CSCvm65794, CSCvm65798, CSCvm86137, CSCvm86143, CSCvm86148, CSCvm86157, CSCvm86160, and CSCvm86165. Cisco Webex Business Suite WBS32 sites and so on are the video conferencing solutions of Cisco (Cisco). The following products are affected: Cisco Webex Business Suite WBS32 sites; Webex Business Suite WBS33 sites; Webex Meetings Online; Webex Meetings Server

Trust: 1.98

sources: NVD: CVE-2019-1641 // JVNDB: JVNDB-2019-001452 // BID: 106704 // VULHUB: VHN-148553

AFFECTED PRODUCTS

vendor:ciscomodel:webex meetings serverscope:eqversion:t31

Trust: 1.0

vendor:ciscomodel:webex meetings onlinescope:eqversion:1.3.39

Trust: 1.0

vendor:ciscomodel:webex meetings onlinescope:eqversion:1.3.33

Trust: 1.0

vendor:ciscomodel:webex meetings serverscope:eqversion:3.0mr2

Trust: 1.0

vendor:ciscomodel:webex meetings onlinescope:eqversion:t33.3.5

Trust: 1.0

vendor:ciscomodel:webex meetings onlinescope:eqversion:t33.5.1

Trust: 1.0

vendor:ciscomodel:webex meetings onlinescope:eqversion:t32.9

Trust: 1.0

vendor:ciscomodel:webex meetings onlinescope: - version: -

Trust: 0.8

vendor:ciscomodel:webex meetings serverscope: - version: -

Trust: 0.8

vendor:ciscomodel:webex playerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:webex network recording playerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:webex meetings server 3.0mr2 patchscope:eqversion:1

Trust: 0.3

vendor:ciscomodel:webex meetings server 3.0mr2scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex meetings server 3.0mr1scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex meetings server patchscope:eqversion:3.01

Trust: 0.3

vendor:ciscomodel:webex meetings serverscope:eqversion:3.0

Trust: 0.3

vendor:ciscomodel:webex meetings server mr2scope:eqversion:2.8

Trust: 0.3

vendor:ciscomodel:webex meetings serverscope:eqversion:2.8

Trust: 0.3

vendor:ciscomodel:webex meetings serverscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:webex meetings onlinescope:eqversion:1.3.37

Trust: 0.3

vendor:ciscomodel:webex meetings onlinescope:eqversion:1.3.35

Trust: 0.3

vendor:ciscomodel:webex meetings onlinescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:webex business suite wbs33.4scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex business suite wbs33scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex business suite wbs32.15.20scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex business suite wbs32scope: - version: -

Trust: 0.3

vendor:ciscomodel:webex meetings server mr2 sp2scope:neversion:3.0

Trust: 0.3

vendor:ciscomodel:webex meetings server mr3 sp1scope:neversion:2.8

Trust: 0.3

vendor:ciscomodel:webex meetings onlinescope:neversion:1.3.40

Trust: 0.3

vendor:ciscomodel:webex business suite wbs33.7.0scope:neversion: -

Trust: 0.3

vendor:ciscomodel:webex business suite wbs33.6.1scope:neversion: -

Trust: 0.3

vendor:ciscomodel:webex business suite wbs32.15.33scope:neversion: -

Trust: 0.3

sources: BID: 106704 // JVNDB: JVNDB-2019-001452 // NVD: CVE-2019-1641

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1641
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1641
value: HIGH

Trust: 1.0

NVD: CVE-2019-1641
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201901-855
value: HIGH

Trust: 0.6

VULHUB: VHN-148553
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1641
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-148553
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1641
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-148553 // JVNDB: JVNDB-2019-001452 // CNNVD: CNNVD-201901-855 // NVD: CVE-2019-1641 // NVD: CVE-2019-1641

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-148553 // JVNDB: JVNDB-2019-001452 // NVD: CVE-2019-1641

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201901-855

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201901-855

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001452

PATCH

title:cisco-sa-20190123-webex-rceurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-webex-rce

Trust: 0.8

title:Cisco Webex Network Recording Player and Webex Player for Windows Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88936

Trust: 0.6

sources: JVNDB: JVNDB-2019-001452 // CNNVD: CNNVD-201901-855

EXTERNAL IDS

db:NVDid:CVE-2019-1641

Trust: 2.8

db:BIDid:106704

Trust: 2.0

db:JVNDBid:JVNDB-2019-001452

Trust: 0.8

db:CNNVDid:CNNVD-201901-855

Trust: 0.7

db:VULHUBid:VHN-148553

Trust: 0.1

sources: VULHUB: VHN-148553 // BID: 106704 // JVNDB: JVNDB-2019-001452 // CNNVD: CNNVD-201901-855 // NVD: CVE-2019-1641

REFERENCES

url:http://www.securityfocus.com/bid/106704

Trust: 2.3

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190123-webex-rce

Trust: 2.0

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1641

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2019-1641

Trust: 0.8

url:http://www.cisco.com/

Trust: 0.3

sources: VULHUB: VHN-148553 // BID: 106704 // JVNDB: JVNDB-2019-001452 // CNNVD: CNNVD-201901-855 // NVD: CVE-2019-1641

CREDITS

Kushal Arvind Shah and Yonghui Han of Fortinet.,Zero Day Initiative,The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

Trust: 0.6

sources: CNNVD: CNNVD-201901-855

SOURCES

db:VULHUBid:VHN-148553
db:BIDid:106704
db:JVNDBid:JVNDB-2019-001452
db:CNNVDid:CNNVD-201901-855
db:NVDid:CVE-2019-1641

LAST UPDATE DATE

2024-11-23T22:26:04.898000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-148553date:2019-10-09T00:00:00
db:BIDid:106704date:2019-01-23T00:00:00
db:JVNDBid:JVNDB-2019-001452date:2019-03-06T00:00:00
db:CNNVDid:CNNVD-201901-855date:2019-10-17T00:00:00
db:NVDid:CVE-2019-1641date:2024-11-21T04:36:59.567

SOURCES RELEASE DATE

db:VULHUBid:VHN-148553date:2019-01-23T00:00:00
db:BIDid:106704date:2019-01-23T00:00:00
db:JVNDBid:JVNDB-2019-001452date:2019-03-06T00:00:00
db:CNNVDid:CNNVD-201901-855date:2019-01-24T00:00:00
db:NVDid:CVE-2019-1641date:2019-01-23T23:29:00.480