From threatpost.com
Third time’s hopefully a charm for Cisco, which has patched a high-severity flaw once again in its Webex video conferencing platform.
Cisco Systems is hoping three times is a charm. The networking giant has issued a third patch for a stubborn high-severity flaw in its Webex Meetings platform after researchers once again discovered a way to bypass the previous fix.
The privilege elevation vulnerability (CVE-2019-1674) exists in the update service of Cisco Webex Meetings Desktop App for Windows, and could allow an unauthenticated attacker to gain SYSTEM user privileges and run arbitrary commands. Before this latest bypass, Cisco had first patched the initial privilege-escalation vulnerability in October, and then again when researchers with SecureAuth bypassed that patch in November.
“The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate version numbers of new files,” said SecureAuth researchers in a Wednesday post. “An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder. This will allow the attacker to run arbitrary commands with SYSTEM user privileges.”