Cisco WebEx Player Buffer Overflows Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1025016|
SecurityTracker URL: http://securitytracker.com/id/1025016
CVE-2010-3041, CVE-2010-3042, CVE-2010-3043, CVE-2010-3044
(Links to External Site)
Date: Feb 1 2011
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to client builds T27LC SP22 and T27LB SP21 EP3|
Several vulnerabilities were reported in Cisco WebEx Player. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create a specially crafted WebEx Recording Format (.wrf) or Advanced Recording Format (.arf) file that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.
These vulnerabilities cannot be triggered by users who are attending a WebEx meeting.
TippingPoint and Fortinet's FortiGuard Labs reported some of these vulnerabilities.
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.|
The vendor has issued a fix (WebEx Player T27LC SP22 and T27LB SP21 EP3).|
The vendor's advisory for the WebEx Player is available at:
Vendor URL: www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml (Links to External Site)
|Underlying OS: Linux (Any), UNIX (macOS/OS X), Windows (Any)|
Source Message Contents
Subject: Cisco Security Advisory: Multiple Cisco WebEx Player Vulnerabilities|
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory: Multiple Cisco WebEx Player Vulnerabilities
Advisory ID: cisco-sa-20110201-webex
For Public Release 2011 February 1 1600 UTC (GMT)
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) and Advanced Recording Format (ARF) Players.
In some cases, exploitation of the vulnerabilities could allow a
remote attacker to execute arbitrary code on the system of a targeted
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
This advisory is posted at
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
Cisco recommends that users upgrade to the most current version of
the player that is available from www.webex.com/downloadplayer.html
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The
players are applications that are used to play back and edit
recording files (files with .wrf and .arf extensions). The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page. The vulnerability cannot be triggered
by users who are attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3. For customers who are running T27LC SP22, the client build will
be represented as 27.22SP.0.9253. The fix for customers who are
running T27LB SP21 will be deployed by WebEx over the next few weeks.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
There are no workarounds for the vulnerabilities disclosed in this
Obtaining Fixed Software
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
or as otherwise set forth at Cisco.com Downloads at
Do not contact firstname.lastname@example.org or email@example.com for
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were either found during internal testing or
reported to Cisco by a variety of sources, including Core Security,
TippingPoint, and Fortinet's FortiGuard Labs.
Cisco would like to thank these organizations for reporting these
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
This advisory is posted on Cisco's worldwide website at :
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
-----END PGP SIGNATURE-----
cust-security-announce mailing list
To unsubscribe, send the command "unsubscribe" in the subject of your message to firstname.lastname@example.org
Go to the Top of This SecurityTracker Archive Page