A remote attacker would not need to be authenticated to exploit the flaw, according to Cisco. All an attacker would need is the meeting ID and a Webex mobile application for either iOS or Android.
“An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application,” wrote Cisco in a Friday advisory. Next, the interloper can access the specific meeting via the mobile Webex app, no password required.
“The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications,” Cisco said. “An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser.”
One caveat to the attack is that unauthorized attendees would be visible in the attendee list of the meeting as a mobile attendee – meaning their presence could be detected by others in the meeting. However, if left undetected, an attacker would be able to eavesdrop on potentially secretive or critical business meeting details.
Affected are Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites for versions earlier than 39.11.5 (for the former) and 40.1.3 (for the latter). Cisco fixed this vulnerability in versions 39.11.5 and later and 40.1.3 and later for Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites.
No user interaction is required for updating, according to Cisco. However, users can check that their Cisco Webex platform is up to date by:
- Logging in to the Cisco Webex Meetings Suite site or Cisco Webex Meetings Online site and navigating to Downloads on the left side of the page.
- Next to Version Information, hover over the circled i.
- Check the value displayed next to Page version.
The flaw (CVE-2020-3142), which has a CVSS score of 7.5 out of 10, was found internally during the resolution of a Cisco TAC support case.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements of the vulnerability that is described in this advisory,” according to Cisco.
High-severity and critical flaws continue to crop up for Cisco’s Webex platform – including one patched just a few weeks ago that could enable a remote attacker to execute commands – as well as video conferencing applications in general. In 2018, for instance, a serious vulnerability in Zoom’s desktop conferencing application was discovered that could allow a remote attacker to hijack screen controls and kick attendees out of meetings.
This is also only the latest security update issued this week by Cisco – the telecom giant on Wednesday released updates addressing 27 flaws, including a critical flaw in its administrative management tool for Cisco network security solutions. Earlier this month, Cisco fixed two high-severity vulnerabilities in its products, including one in its popular Webex video conferencing platform, that could enable a remote attacker to execute commands. Also earlier in January Cisco also patched three critical vulnerabilities (CVE-2019-15975, CVE-2019-15976, CVE-2019-15977) in its Data Center Network Manager (DCNM), for which a proof-of-concept exploit was later published.