Cisco Webex Teams Client for Windows DLL Hijacking Vulnerability [CVE-2020-3535]

CVE number – CVE-2020-3535

A vulnerability in the loading mechanism of specific DLLs in the Cisco Webex Teams client for Windows could allow an authenticated, local attacker to load a malicious library. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

The vulnerability is due to incorrect handling of directory paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file in a specific location on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the targeted system with the privileges of another user’s account.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This vulnerability affects Cisco Webex Teams for Windows releases 3.0.13464.0 through 3.0.16040.0.

Workarounds
  • There are no workarounds that address this vulnerability.
Fixed Software
  • Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-teams-dll-drsnH5AN

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: