Cisco fixed three new vulnerabilities discovered by IBM in Cisco Webex that allowed ‘ghosts’ or hidden visitors to spy on meetings, even after they are detected and removed.
Three important vulnerabilities in Cisco Webex could allow attackers to spy in on corporate video meetings without being detected. The three vulnerabilities were discovered when IBM Research and IBM’s Office of the CISO took up the task to analyze remote working tools, including Webex, in the recently proliferated collaboration space.
Researchers at IBM performed a security analysis of Cisco’s proprietary collaboration tool, which is presently leveraged by millions worldwide. They discovered three critical vulnerabilities, namely CVE-2020-3441, CVE-2020-3471, CVE-2020-3419. All three vulnerabilities are rated as Medium severe with CVSS scores of 5.3, 6.5, and 6.3, respectively.
Through CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419, attackers could gain access to meetings and tamper with the handshake process between Webex apps server and clients.
By manipulating join messages, which are usually exchanged between client and server sides when participants join meetings through the handshake process, hackers can infiltrate meetings and avoid detection, earning them the moniker ‘ghosts.’
However, the participants and hosts can be alerted about a ghost joining a meeting through a beep that goes off with a new audio connection. But this can be disabled, and even if it isn’t, hosts generally don’t keep track of the number of people joining the meeting.
Jiyong Jang, Research Scientist and Manager of the Cyber Security Intelligence (CSI) team at the IBM Thomas J. Watson Research Center, wrote, “We further discovered that an attendee could become a ghost either by being expelled by the host or by simply performing a ‘self-expel.’ Consequently, the host and other participants would not see the ghost attendee on the participant list, and believe the attendee left the meeting.”
See Also: Zoom Touts New Security Features to Prevent Zoom Bombing
According to IBM, exploitation of these three vulnerabilities entails the following:
- Join a Webex meeting as a ghost without being seen on the participant list with full access to audio, video, chat and screen-sharing capabilities.
- Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection.
- Gain access to information on meeting attendees — including full names, email addresses and IP addresses — from the meeting room lobby, even without being admitted to the call.
“How do you know they are really gone? It turns out that with this vulnerability, it is extremely difficult to tell. Not only could an attacker join meetings undetected or disappear while maintaining audio connectivity, but they could also simply disregard the host’s expel order, stay in the meeting and keep the audio connection,” explained Jang.
Cisco has patched all three vulnerabilities for cloud-based services, but for on-premise apps like Cisco Webex Meetings mobile app and the Cisco Webex Meetings Server software, users need to upgrade their application clients with the latest version immediately.
The importance of patching these three bugs is evident not only from the ability of the attacker to remain in stealth mode throughout multiple, back-to-back meetings (even after being expelled) but also from the threat posed by exposed information such as names, email addresses, and IP addresses in the waiting lobby.
The exposed information can prove to be a launching pad for additional attacks. For example, an exposed IP address can reveal the home network, which can be weaker than an enterprise-grade network in an on-premise environment.
All three vulnerabilities affect Windows, MacOS and iOS versions of Webex Meetings clients and Webex Room Kit appliance. Amid the pandemic, the platform’s usage swelled by 451% in four months (February to June), and it notched 4 million meetings in a single day.