
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0078

Title: Multiple Buffer Overflow Vulnerabilities in the Cisco WebEx
Player [1]

Version history:
29.06.2012 Initial publication

Summary
=======
The Cisco WebEx Recording Format (WRF) player contains four buffer
overflow vulnerabilities and the Cisco Advanced Recording Format (ARF)
player contains one buffer overflow vulnerability. In some cases,
exploitation of the vulnerabilities could allow a remote attacker to
execute arbitrary code on the system with the privileges of a targeted
user. [1]

To exploit one of these vulnerabilities, the player application must
open a malicious WRF or ARF file. An attacker may be able to accomplish
this exploit by providing the malicious recording file directly to users
(for example, by using e-mail) or by directing a user to a malicious web
page. The vulnerabilities cannot be triggered by users who are attending
a WebEx meeting.

CVE-2012-3053
CVE-2012-3054
CVE-2012-3055
CVE-2012-3056
CVE-2012-3057

CVSS v2 Base Score:9.3 (CRITICAL) (AV:N/AC:M/Au:N/C:C/I:C/A:C)  [1,7]

Vulnerable systems
==================
The following client builds of Cisco WebEx Business Suite (WBS 27 and
WBS 28) are affected by at least one of the vulnerabilities that are
described in this advisory:

Client builds 28.0.0 (T28 L10N)
Client builds 27.32.1 (T27 LD SP32 CP1) and prior
Client builds 27.25.10 (T27 LC SP25 EP10) and prior
Client builds 27.21.10 (T27 LB SP21 EP10) and prior
Client builds 27.11.26 (T27 L SP11 EP26) and prior

Original Details
================
CVE-2012-3053:
Buffer overflow in the Cisco WebEx Advanced Recording Format (ARF)
player T27 L through SP11 EP26, T27 LB through SP21 EP10, T27 LC before
SP25 EP11, T27 LD before SP32 CP2, and T28 L10N before SP1 allows remote
attackers to execute arbitrary code via a crafted ARF file, aka Bug ID
CSCtz72985.

CVE-2012-3054:
Heap-based buffer overflow in the Cisco WebEx Recording Format (WRF)
player T27 L through SP11 EP26, T27 LB through SP21 EP10, T27 LC before
SP25 EP11, T27 LD before SP32 CP2, and T28 L10N before SP1 allows remote
attackers to execute arbitrary code via a crafted WRF file, aka Bug ID
CSCtz72977.

CVE-2012-3055:
Stack-based buffer overflow in the Cisco WebEx Recording Format (WRF)
player T27 L through SP11 EP26, T27 LB through SP21 EP10, T27 LC before
SP25 EP11, T27 LD before SP32 CP2, and T28 L10N before SP1 allows remote
attackers to execute arbitrary code via a crafted DHT chunk in a JPEG
image within a WRF file, aka Bug ID CSCtz72953.

CVE-2012-3056:
Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 L
through SP11 EP26, T27 LB through SP21 EP10, T27 LC before SP25 EP11,
T27 LD before SP32 CP2, and T28 L10N before SP1 allows remote attackers
to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted WRF file, aka Bug ID CSCtz72946.

CVE-2012-3057:
Heap-based buffer overflow in the Cisco WebEx Recording Format (WRF)
player T27 L through SP11 EP26, T27 LB through SP21 EP10, T27 LC before
SP25 EP11, T27 LD before SP32 CP2, and T28 L10N before SP1 allows remote
attackers to execute arbitrary code via a crafted size field in audio
data within a WRF file, aka Bug ID CSCtz00755.

What can you do?
================
Fix is available via some vendors [1]

What to tell your users?
========================
Normal security best practices apply. Especially, inform your users
to be cautious about following links to sites and attachments in emails
that are provided by unfamiliar or  suspicious sources. Users are to be
aware not to click on the link in suspicious emails; to immediately
forward the suspicious email to the respective IT security officer /
contact in your institution.


More information
================

[1]
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120627-webex
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3053
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3054
[4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3055
[5] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3056
[6] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3057
[7] More information about CVSS is available at:
http://www.first.org/cvss/cvss-guide.html



Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJP7c4/AAoJEPpzpNLI8SVoayYP/25vEQQGdRAE9C2ZIx8Bl60x
4ReV1OVSPnMlWW0fBQJBANdCkIbl61sd/aFHzDPaN3JbW92fSfXHvSDmhJi0V5RF
qvEd77q2IwA2omSVCAG3unJjV5ehIaqiuw34hROGxWw/NEOEBeK9JcJHOEQlJtAp
bYgJ/JIZBL461kQKQmlOnu5FOFwq4wvrJW8jeMog7eIxH2QcQ2QWioAWt6AJpEoc
Y+susXUeLdeABu4UMoMk2KS0dleOlc6vQkyiU/Qltlb4EZsR7WGKYNul0hLAdIVO
4nkNg7/5gkuZB1dhZBvGSR1J2RLZ6kEuxUMf84F4aWYELRaHRZpXomUfN+/szShk
L+x/tCSPNjOiCNK1ycXqS8nl7vXmQ96odBR0xDSjRhowXIymmit9v3mPEgBWlaQi
vHqWIDX3zuCRtRmjXBRek6y5PUyuT0uwrpx3Q4AJjGwXPHHz4gOJmIHsVT73CNOk
uASqyjgF/m421cCTehthmS/n6VFcm+xVImMP2KBWCKRAgR2gSnOd7Yroa2UpgU6b
OAbCZB7FUy0BSYx9awTkFtda5lXqiE8q7PMKe5ET34wFlFDE/ViiqXwvhO5bUZtX
EaY4yyEY9elA4Hcvk7NaU3QcaHQEhP12l2kWK90Ge9kBN9HYJYSLcowNh6heCxKM
UTRw02NgR9oPqJSWjT/f
=i4J8
-----END PGP SIGNATURE-----