Cisco has recently addressed serious vulnerabilities affecting its Webex video conferencing app. Exploiting the bugs could allow unsolicited users to barge into meetings. Thankfully, Cisco addressed the bugs before exploitation in the wild.
Cisco Webex Vulnerabilities Allowing Ghost Users
Researchers from IBM have elaborated their findings regarding vulnerabilities in the Cisco Webex app in a recent post.
Briefly, the researchers found three different vulnerabilities in the video conferencing platform that could allow ghost users to join or stay in meetings stealthily.
Exploiting these bugs could allow a user (or an adversary) to join a meeting with no signs of participation. Despite not being noticeable, the ghost user could have access to the screens shared, the audio, and the video chats.
There was only one sign, though, that could hint at a ghost user’s joining. It was the entry beep that would exceed the number of users in a meeting. For instance, if a meeting has five members, the host might hear six beeps. However, this indication was trivial to notice.
In another scenario, a user may transform into a ghost user after the host expels them, or the user ‘self-expels’. Describing this vulnerability, IBM stated,
We identified that we could maintain the working bidirectional audio communication while a server thought the connection from an attendee dropped — meaning the attendee disappeared from the participants panel and became a ghost.
This bug made subsequent meetings vulnerable as the ghost user would stay in the same meeting room and keep attending the meetings one after another. For sensitive corporate matters, this bug could lead to a leakage of sensitive information.
In the third scenario, an adversary could easily steal the personal information of the meeting attendees. This information might include names, email addresses, other details including the IP addresses. Considering a work-from-home scenario, the IP addresses could also hint at the exact physical location f the participants. Hence, the risk was higher.
Below is a demonstration from IBM.
Cisco Patched The Flaws
Upon finding the Webex bugs, IBM reached out to Cisco to report the matter.
Recently, Cisco has addressed the three vulnerabilities CVE-2020-3419 (ghost join flaw), CVE-2020-3471 (audio information exposure), and CVE-2020-3441 (information disclosure).
Cisco has marked all the three as medium-severity bugs. The first two achieved a CVSS score of 6.5, and the third, 5.3.
Since the bugs didn’t exist at the client-side, Cisco deployed fixes without requiring any action from the cloud users.
Whereas, for on-premises users, Cisco released the fixes with Cisco Webex Meetings Server release 3.0MR3 Security Patch 5 and 4.0MR3 Security Patch 4. Users must ensure updating their systems to the latest versions to avoid any ghost attendees in their Webex meetings.