Vulnerability Name:

CVE-2021-1372 (CCN-196967)

Assigned:2020-11-13
Published:2021-02-17
Updated:2021-02-23
Summary:A vulnerability in Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system. This vulnerability is due to the unsafe usage of shared memory by the affected software. An attacker with permissions to view system memory could exploit this vulnerability by running an application on the local system that is designed to read shared memory. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens.
Note: To exploit this vulnerability, an attacker must have valid credentials on a Microsoft Windows end-user system and must log in after another user has already authenticated with Webex on the same end-user system.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-202
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-1372

Source: XF
Type: UNKNOWN
cisco-cve20211372-info-disc(196967)

Source: CCN
Type: Cisco Security Advisory cisco-sa-wda-pt-msh-6LWOcZ5
Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows Shared Memory Information Disclosure Vulnerability

Source: CISCO
Type: Vendor Advisory
20210217 Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows Shared Memory Information Disclosure Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cisco:webex_meetings:*:*:*:*:slow_channel:*:*:* (Version < 40.6)
  • OR cpe:/a:cisco:webex_meetings:*:*:*:*:latest_channel:*:*:* (Version < 40.10)
  • OR cpe:/a:cisco:webex_meetings_server:*:*:*:*:*:*:*:* (Version < 4.0)
  • OR cpe:/a:cisco:webex_meetings_server:4.0:-:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:4.0:maintenance_release1:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:4.0:maintenance_release2:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:4.0:maintenance_release3:*:*:*:*:*:*
  • OR cpe:/a:cisco:webex_meetings_server:4.0:maintenance_release3_security_patch3:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cisco webex meetings *
    cisco webex meetings *
    cisco webex meetings server *
    cisco webex meetings server 4.0 -
    cisco webex meetings server 4.0 maintenance_release1
    cisco webex meetings server 4.0 maintenance_release2
    cisco webex meetings server 4.0 maintenance_release3
    cisco webex meetings server 4.0 maintenance_release3_security_patch3