Cisco Webex Bug - Attackers Join Meetings As Ghost Users

IBM researchers discovered bugs that allow attackers to sneak in and join Webex meetings as ghost users, invisible to other participants.

Cisco Webex Conferencing App:

Besides Zoom, Cisco Webex is one of the apps that came on top after the COVID-19 pandemic. It is being reported that Webex usage grew 451% this year and that at its peak

Recently, Cisco has also filed three CVEs corresponding to IBM’s findings:

CVE-2020-3471 — Cisco Webex Meetings and Cisco Webex Meetings Server Audio Information Exposure Vulnerability
CVE-2020-3441 — Cisco Webex Meeting Information Disclosure Vulnerability
CVE-2020-3419 — Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability

The bugs affect both Cisco Webex Meetings sites (cloud-based) and Cisco Webex Meetings Server (on-premises).

CVE-2020-3419 — Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability

Summary

A vulnerability could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list.

A successful exploit requires the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords.

However, the attacker could then exploit this vulnerability to join meetings, without appearing in the participant list, while having full access to audio, video, chat, and screen sharing capabilities.

Vulnerable Products

Cisco Webex Meetings apps release 40.10.9 and earlier for iOS and Android.
Cisco Webex Meetings Server, which is on-premises: 3.0MR Security Patch 4 and earlier & 4.0MR3 Security Patch 3 and earlier

Fixed Software

Cloud-Based Services – No user action is required
On-Premises Software – 3.0MR3 Security Patch 5, 4.0MR3 Security Patch 4

CVE-2020-3471 — Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability

Summary

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to maintain bidirectional audio despite being expelled from an active Webex session.

A successful exploit could allow the attacker to maintain the audio connection of a Webex session despite being expelled.

Vulnerable Products

Webex Meetings is cloud-based: WBS 39.5.25 and earlier, WBS 40.6.10 and earlier, WBS 40.9.5
Webex Meetings on-premises: 3.0MR3 Security Patch 4 and earlier, 4.0MR3 Security Patch 3 and earlier

Fixed Software

Cloud-Based Services – No user action is required.
On-Premises Software – 3.0MR3 Security Patch 5, 4.0MR3 Security Patch 4

CVE-2020-3441 – Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability

Summary

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to view sensitive information from the meeting room lobby.

A successful exploit could allow the attacker to gather information about other Webex participants, such as email address and IP address, while waiting in the lobby.

Vulnerable Products

This vulnerability affected all Cisco Webex Meetings sites prior to November 17, 2020. Webex Meetings is cloud-based.
Webex Meetings on-premises: 3.0MR3 Security Patch 4 and earlier, 4.0MR3 Security Patch 3 and earlier

Fixed Software

Cloud-Based Services – No user action is required.
On-Premises Software – 3.0MR3 Security Patch 5, 4.0MR3 Security Patch 4

Security Recommendations:

Attackers try to exploit only when they know the URLs of scheduled Webex meetings with unique meeting URLs and Webex Personal Rooms.

However, IBM researchers say that “personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name.”