Cisco this week announced the availability of software updates that address multiple vulnerabilities across several products, including bugs leading to unauthorized access to Webex meetings.
Identified by IBM’s security researchers, the Webex flaws could allow attackers to join meetings as ghosts (without being seen by other participants), remain in the meeting as a ghost after being expelled, and access information on meeting attendees (names, email addresses and IP addresses).
Tracked as CVE-2020-3419, the first of the issues impacts both Webex Meetings and Webex Meetings Server and is the result of “improper handling of authentication tokens by a vulnerable Webex site.”
An attacker with access to join a meeting (including meeting join links and passwords) could abuse the flaw by sending crafted requests to a vulnerable Webex Meetings site. This would allow the attacker to join the meeting with full access to audio, chat, video, and screen sharing, but without appearing in the participant list.
IBM’s researchers explain that a “beep” would be the only indicator that the attacker has joined the meeting, but that this indicator might be disabled for large meetings, thus “allowing the ghost to enter perfectly stealthily.”
No workarounds are available for the bug and all Webex Meetings sites prior to November 17, 2020, are affected, Cisco explains. Webex Meetings 40.10.9 and earlier for iOS and Android are affected too, as well as Webex Meetings Server 3.0MR Security Patch 4 and earlier and 4.0MR3 Security Patch 3 and earlier.
Cisco rolled out patches for the bug on November 17. Given that Webex Meetings sites are cloud-based, no user action is required.
The same update also patches CVE-2020-3441 and CVE-2020-3471, vulnerabilities that could lead to the disclosure of sensitive information from the meeting room lobby or could allow an attacker to maintain bidirectional audio after being expelled from a Webex session, respectively.
“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants. […] A malicious actor can become a ghost by manipulating […] messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others,” IBM explains.
A fourth vulnerability addressed in Webex this week could allow a remote attacker to launch cross-site scripting (XSS) attacks without authentication.
Cisco patched 14 other vulnerabilities this week, including three critical flaws, three high-severity bugs, and 8 medium-risk vulnerabilities.
The most important of these are CVE-2020-3470 (CVSS score 9.8) – remote code execution issue in the API subsystem of Cisco Integrated Management Controller (IMC); CVE-2020-3586 (CVSS score 9.4) – arbitrary command execution in the web-based management interface of DNA Spaces Connector; and CVE-2020-3531 (CVSS score 9.8) – access to the back-end database of IoT Field Network Director (FND) (the bug resides in the REST API).
The flaws assessed with a high severity rating include CVE-2020-3367 – command injection and privilege escalation in Secure Web Appliance (formerly Web Security Appliance); CVE-2020-26072 – insufficient authorization in the SOAP API of IoT FND, leading to access to and manipulation of information; and CVE-2020-3392 – improper authentication of API calls in IoT FND, leading to information leakage.
Cisco also patched an unauthorized token generation bug in Telepresence CE and RoomOS software, bypass of security controls in Expressway software, and multiple medium risk issues in IoT FND, including cross-site scripting (XSS), improper access control, information disclosure, insufficient input validation, unprotected storage credentials, and file overwrite.
Further information on all of these vulnerabilities can be found on Cisco’s security portal.
Related: Cisco Patches Publicly Disclosed Vulnerabilities in Security Manager
Related: Cisco Patches 17 High-Severity Vulnerabilities in Security Appliances
Related: Cisco Patches Actively Exploited Flaws in Carrier-Grade Routers