Vulnerability Name:

CVE-2018-0380 (CCN-146720)

Assigned:2017-11-27
Published:2018-07-18
Updated:2019-10-09
Summary:Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players. Exploitation of these vulnerabilities could cause an affected player to crash, resulting in a denial of service (DoS) condition. The Cisco Webex players are applications that are used to play back Webex meetings that have been recorded by an online meeting attendee. The Webex Network Recording Player for .arf files can be automatically installed when the user accesses a recording that is hosted on a Webex server. The Webex Player for .wrf files can be downloaded manually. These vulnerabilities affect ARF and WRF recording players available from Cisco Webex Meetings Suite sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings Server. Cisco Bug IDs: CSCvh70253, CSCvh70268, CSCvh72272, CSCvh72281, CSCvh72285, CSCvi60477, CSCvi60485, CSCvi60490, CSCvi60520, CSCvi60529, CSCvi60533.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2018-0380

Source: BID
Type: Third Party Advisory, VDB Entry
104880

Source: CCN
Type: BID-104880
Cisco Webex Network Recording Players CVE-2018-0380 Multiple Denial of Service Vulnerabilities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1041351

Source: XF
Type: UNKNOWN
cisco-cve20180380-dos(146720)

Source: CCN
Type: Cisco Security Advisory cisco-sa-20180718-webex-dos
Cisco Webex Network Recording Players Denial of Service Vulnerabilities

Source: CONFIRM
Type: Vendor Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-dos

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cisco:webex_meetings_online:t30:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_online:t31:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_online:t31.20:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_online:t31.23:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_online:t31.23.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:cisco:webex_network_recording_player:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cisco webex meetings online t30
    cisco webex meetings online t31
    cisco webex meetings online t31.20
    cisco webex meetings online t31.23
    cisco webex meetings online t31.23.2
    cisco webex network recording player -