cnvd - cnvd-2020-31990

CNVD-2020-31990

Vulnerability from cnvd - Published: 2020-06-09

Title

Cisco Webex Network Recording Player和Cisco Webex Player输入验证错误漏洞（CNVD-2020-31990）

Description

Cisco Webex Network Recording Player是美国思科（Cisco）公司的一款用于播放视频会议记录的播放器。基于Windows平台的Cisco Webex Network Recording Player和Cisco Webex Player Release 3.0 MR3 Security Patch 2之前版本和4.0 MR3之前版本中存在输入验证错误漏洞。攻击者可通过链接或邮件附件发送恶意的ARF或WRF文件并诱使用户打开该文件利用该漏洞造成进程崩溃，导致拒绝服务。

Severity

低

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://www.cisco.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-3319

Impacted products

Name
['Cisco WebEx Network Recording Player', 'Cisco WebEx Player <Release 3.0 MR3 Security Patch 2', 'Cisco WebEx Player <4.0 MR3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-3319"
    }
  },
  "description": "Cisco Webex Network Recording Player\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u64ad\u653e\u89c6\u9891\u4f1a\u8bae\u8bb0\u5f55\u7684\u64ad\u653e\u5668\u3002\n\n\u57fa\u4e8eWindows\u5e73\u53f0\u7684Cisco Webex Network Recording Player\u548cCisco Webex Player Release 3.0 MR3 Security Patch 2\u4e4b\u524d\u7248\u672c\u548c4.0 MR3\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u94fe\u63a5\u6216\u90ae\u4ef6\u9644\u4ef6\u53d1\u9001\u6076\u610f\u7684ARF\u6216WRF\u6587\u4ef6\u5e76\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u8be5\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u8fdb\u7a0b\u5d29\u6e83\uff0c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.cisco.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-31990",
  "openTime": "2020-06-09",
  "products": {
    "product": [
      "Cisco WebEx Network Recording Player",
      "Cisco WebEx Player \u003cRelease 3.0 MR3 Security Patch 2",
      "Cisco WebEx Player \u003c4.0 MR3"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-3319",
  "serverity": "\u4f4e",
  "submitTime": "2020-06-04",
  "title": "Cisco Webex Network Recording Player\u548cCisco Webex Player\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2020-31990\uff09"
}

CVE-2020-3319 (GCVE-0-2020-3319)

Vulnerability from cvelistv5 – Published: 2020-06-03 16:55 – Updated: 2024-11-15 17:20

Summary

A vulnerability in Cisco Webex Network Recording Player and Cisco Webex Player for Microsoft Windows could allow an attacker to cause a process crash resulting in a Denial of service (DoS) condition for the player application on an affected system. The vulnerability exists due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to cause the Webex player application to crash when trying to view the malicious file. This vulnerability affects Cisco Webex Network Recording Player and Webex Player releases earlier than Release 3.0 MR3 Security Patch 2 and 4.0 MR3.

Severity ?

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-20 - Improper Input Validation

Assigner

cisco

References

URL

Tags

https://quickview.cloudapps.cisco.com/quickview/b…

vendor-advisoryx_refsource_CISCO

Impacted products

Vendor

Product

Version

Cisco

Cisco Webex Network Recording Player

Affected: unspecified , < 3.0 MR3 Security Patch 2 (custom)
Affected: unspecified , < 4.0 MR3 (custom)

Cisco

Cisco Webex Player for Microsoft Windows

Affected: unspecified , < 3.0 MR3 Security Patch 2 (custom)
Affected: unspecified , < 4.0 MR3 (custom)

Credits

Cisco would like to thank Kexu Wang of Fortinet's FortiGuard Labs for reporting this vulnerability

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:30:57.989Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Cisco Webex Network Recording Player and Cisco Webex Player Denial of Service Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs98254"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-3319",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-15T16:28:22.385143Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-15T17:20:29.314Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Webex Network Recording Player",
          "vendor": "Cisco",
          "versions": [
            {
              "lessThan": "3.0 MR3 Security Patch 2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "4.0 MR3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Cisco Webex Player for Microsoft Windows",
          "vendor": "Cisco",
          "versions": [
            {
              "lessThan": "3.0 MR3 Security Patch 2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "4.0 MR3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Cisco would like to thank Kexu Wang of Fortinet\u0027s FortiGuard Labs for reporting this vulnerability"
        }
      ],
      "datePublic": "2020-06-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in Cisco Webex Network Recording Player and Cisco Webex Player for Microsoft Windows could allow an attacker to cause a process crash resulting in a Denial of service (DoS) condition for the player application on an affected system. The vulnerability exists due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to cause the Webex player application to crash when trying to view the malicious file. This vulnerability affects Cisco Webex Network Recording Player and Webex Player releases earlier than Release 3.0 MR3 Security Patch 2 and 4.0 MR3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-03T16:55:13",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "Cisco Webex Network Recording Player and Cisco Webex Player Denial of Service Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs98254"
        }
      ],
      "source": {
        "advisory": "CSCvs98254",
        "defect": [
          "CSCvs98254",
          "CSCvs98255",
          "CSCvs98256"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Cisco Webex Network Recording Player and Cisco Webex Player Denial of Service Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2020-06-03T16:00:00.000Z",
          "ID": "CVE-2020-3319",
          "STATE": "PUBLIC",
          "TITLE": "Cisco Webex Network Recording Player and Cisco Webex Player Denial of Service Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Webex Network Recording Player",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.0 MR3 Security Patch 2"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.0 MR3"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Cisco Webex Player for Microsoft Windows",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.0 MR3 Security Patch 2"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.0 MR3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Cisco would like to thank Kexu Wang of Fortinet\u0027s FortiGuard Labs for reporting this vulnerability"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in Cisco Webex Network Recording Player and Cisco Webex Player for Microsoft Windows could allow an attacker to cause a process crash resulting in a Denial of service (DoS) condition for the player application on an affected system. The vulnerability exists due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to cause the Webex player application to crash when trying to view the malicious file. This vulnerability affects Cisco Webex Network Recording Player and Webex Player releases earlier than Release 3.0 MR3 Security Patch 2 and 4.0 MR3."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "Cisco Webex Network Recording Player and Cisco Webex Player Denial of Service Vulnerability",
              "refsource": "CISCO",
              "url": "https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs98254"
            }
          ]
        },
        "source": {
          "advisory": "CSCvs98254",
          "defect": [
            "CSCvs98254",
            "CSCvs98255",
            "CSCvs98256"
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2020-3319",
    "datePublished": "2020-06-03T16:55:13.483571Z",
    "dateReserved": "2019-12-12T00:00:00",
    "dateUpdated": "2024-11-15T17:20:29.314Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-31990

CVE-2020-3319 (GCVE-0-2020-3319)

Tags

Sightings

Nomenclature