A vulnerability has been discovered which affects the Cisco Webex Teams client for Windows which can allow an authenticated, local attacker to execute arbitrary code at potentially increased privilege through DLL hijacking. This can allow an attacker to execute the potentially malicious code contained in their specially crafted DLL at increased privileges, which could result in varying levels of damage. This includes unwanted programs being downloaded to the target. Cisco has patched this vulnerability and it is recommended that any Windows users of Webex Teams update the application.
Technical detail and additional information
What is the threat?
A vulnerability exists in the Cisco Webex Teams Client for Windows that could allow an authenticated, local attacker to load a malicious DLL on a device. Successful exploitation of this vulnerability requires both local access and authentication, which means that any potential attacker must already have valid credentials and access to the network. If exploited the attacker could place a malicious DLL file at a specific location on the target system that, when run automatically by the vulnerable application, can allow the attacker to execute arbitrary code with the privileges of another user’s account.
Why is this noteworthy?
Cisco Webex Teams is a very popular remote collaboration tool that, like many others, has seen a drastic uptick in use as a result of many organizations adapting to Covid-19 operations. A vulnerability such as this can be exploited in organizations of all sizes assuming it is not patched, and smaller organizations with a weaker security focus are certainly at risk to such lapses in patches. By creating a malicious DLL and placing it at a location in which it will be called the attacker can execute arbitrary code at potentially increased privileges, unbeknownst to the target. It is also noteworthy that this vulnerability only exists in the Windows version of Cisco Teams, with Teams for Android, Mac, or iPhone/iPad currently being unaffected.
What is the exposure or risk?
The potential risk of this vulnerability being exploited is that of arbitrary code being executed at potentially increased privilege. If an attacker is able to successfully leverage this method of DLL hijacking, they could execute code to their liking on the target host. The exact nature of the damage that can stem from this varies depending on the composition of the DLL, but most commonly it can be used to download potentially harmful files to the device.
What are the recommendations?
Cisco has released software updates that have addressed this vulnerability, and any users of the application should update when possible.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.