Details of VAR-202011-1339

ID

VAR-202011-1339

CVE

CVE-2020-3603

TITLE

Windows for Cisco Webex Network Recording Player and Cisco Webex Player Buffer Error Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-013257

DESCRIPTION

Multiple vulnerabilities in Cisco Webex Network Recording Player for Windows and Cisco Webex Player for Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerabilities are due to insufficient validation of certain elements of a Webex recording that is stored in the Advanced Recording Format (ARF) or Webex Recording Format (WRF). An attacker could exploit these vulnerabilities by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer

Trust: 2.34

sources: NVD: CVE-2020-3603 // JVNDB: JVNDB-2020-013257 // ZDI: ZDI-20-1361 // VULHUB: VHN-181728

AFFECTED PRODUCTS

vendor:	cisco	model:	webex meetings	scope:	lt	version:	40.6.11	Trust: 1.0
vendor:	cisco	model:	webex meetings server	scope:	eq	version:	4.0	Trust: 1.0
vendor:	cisco	model:	webex meetings	scope:	lt	version:	40.8.0	Trust: 1.0
vendor:	cisco	model:	webex meetings	scope:	gte	version:	40.7.0	Trust: 1.0
vendor:	cisco	model:	webex meetings server	scope:	eq	version:	3.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco webex meetings server	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco webex meetings	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	webex	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-20-1361 // JVNDB: JVNDB-2020-013257 // NVD: CVE-2020-3603

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3603
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3603
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-3603
value:	HIGH
Trust: 0.8
ZDI:	CVE-2020-3603
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-202011-341
value:	HIGH
Trust: 0.6
VULHUB:	VHN-181728
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-3603
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-181728
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-3603
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2020-3603
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2020-3603
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-20-1361 // VULHUB: VHN-181728 // JVNDB: JVNDB-2020-013257 // CNNVD: CNNVD-202011-341 // NVD: CVE-2020-3603 // NVD: CVE-2020-3603

PROBLEMTYPE DATA

problemtype:	CWE-119	Trust: 1.1
problemtype:	CWE-787	Trust: 1.1
problemtype:	Buffer error (CWE-119) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181728 // JVNDB: JVNDB-2020-013257 // NVD: CVE-2020-3603

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202011-341

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202011-341

PATCH

title:	cisco-sa-webex-nbr-NOS6FQ24	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-nbr-NOS6FQ24	Trust: 1.5
title:	Cisco Webex Network Recording Player Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=133199	Trust: 0.6

sources: ZDI: ZDI-20-1361 // JVNDB: JVNDB-2020-013257 // CNNVD: CNNVD-202011-341

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3603	Trust: 3.2
db:	ZDI	id:	ZDI-20-1361	Trust: 2.4
db:	JVNDB	id:	JVNDB-2020-013257	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-11133	Trust: 0.7
db:	CNNVD	id:	CNNVD-202011-341	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3855	Trust: 0.6
db:	VULHUB	id:	VHN-181728	Trust: 0.1

sources: ZDI: ZDI-20-1361 // VULHUB: VHN-181728 // JVNDB: JVNDB-2020-013257 // CNNVD: CNNVD-202011-341 // NVD: CVE-2020-3603

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-webex-nbr-nos6fq24	Trust: 3.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-1361/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3603	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2020.3855/	Trust: 0.6

sources: ZDI: ZDI-20-1361 // VULHUB: VHN-181728 // JVNDB: JVNDB-2020-013257 // CNNVD: CNNVD-202011-341 // NVD: CVE-2020-3603

CREDITS

Francis Provencher {PRL}

Trust: 0.7

sources: ZDI: ZDI-20-1361

SOURCES

db:	ZDI	id:	ZDI-20-1361
db:	VULHUB	id:	VHN-181728
db:	JVNDB	id:	JVNDB-2020-013257
db:	CNNVD	id:	CNNVD-202011-341
db:	NVD	id:	CVE-2020-3603

LAST UPDATE DATE

2024-11-23T22:37:11.928000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-20-1361	date:	2020-11-10T00:00:00
db:	VULHUB	id:	VHN-181728	date:	2021-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-013257	date:	2021-06-22T06:49:00
db:	CNNVD	id:	CNNVD-202011-341	date:	2021-10-20T00:00:00
db:	NVD	id:	CVE-2020-3603	date:	2024-11-21T05:31:23.817

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-20-1361	date:	2020-11-10T00:00:00
db:	VULHUB	id:	VHN-181728	date:	2020-11-06T00:00:00
db:	JVNDB	id:	JVNDB-2020-013257	date:	2021-06-22T00:00:00
db:	CNNVD	id:	CNNVD-202011-341	date:	2020-11-04T00:00:00
db:	NVD	id:	CVE-2020-3603	date:	2020-11-06T19:15:15.707