, Cisco Webex ‘Ghost’ Flaw Opens Meetings to Snooping

Cisco patched the Webex flaw, as well as three critical-severity vulnerabilities, in a slew of security updates on Wednesday.

A vulnerability in Cisco’s Webex conferencing application could allow an attendee to act as a “ghost” in the meeting – allowing them to spy in on potentially sensitive company secrets.

To exploit the flaw (CVE-2020-3419), attackers can be remote – however, they would need access to join the Webex meetings, including applicable meeting “join” links and passwords. For this reason, the flaw is only considered medium severity by Cisco, ranking 6.5 out of 10 on the CVSS scale. However, the practical implications are significant when considering information a “ghost” could obtain in a meeting that assumed he or she was absent from.

Once they have meeting access, an attacker could exploit the flaw by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. The bad actor could then exploit this vulnerability to join meetings – without appearing in the participant list –  giving them full access to audio, video, chat and screen sharing capabilities.

, Cisco Webex ‘Ghost’ Flaw Opens Meetings to Snooping

“With this flaw, a ghost could stay in a meeting while not being seen by others, even after being expelled by the host, which makes this practice especially problematic,” said researchers with IBM in a Wednesday analysis. “We identified that we could maintain the working bidirectional audio communication while a server thought the connection from an attendee dropped — meaning the attendee disappeared from the participants panel and became a ghost.”

This vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. It affected all Cisco Webex Meetings sites prior to November 17, 2020; and all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android.

The flaw also impacts Cisco Webex Meetings Server releases 3.0MR Security Patch 4 and earlier, and 4.0MR3 Security Patch 3 and earlier.

“Cisco addressed this vulnerability on November 17, 2020, in Cisco Webex Meetings sites, which are cloud based,” according to Cisco. “No user action is required.”

Cisco said it’s aware of public announcements of the vulnerability – but so far it has yet to spot any exploits in the wild. The flaws come as collaboration tools – like Webex, as well as Zoom and Skype – face explosive utilization due to the coronavirus pandemic.

Two other flaws in Cisco Webex were also discovered by IBM researchers – including one (CVE-2020-3441) allowing an unauthenticated, remote attacker to view sensitive Webex information from the meeting room lobby, and another (CVE-2020-3471) enabling bad actors to maintain the audio connection of a Webex session despite being expelled.

Critical Cisco Flaws

Cisco on Wednesday also plugged up three critical-severity vulnerabilities. One of these is an issue in the API subsystem of Cisco Integrated Management Controller (IMC) that could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges.

Cisco IMC is a baseboard management controller that provides embedded server management for Cisco UCS C-Series Rack Servers and Cisco UCS S-Series Storage Servers – allowing system management in the data center and across distributed branch-office locations.

“An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the API subsystem of an affected system,” according to Cisco. “When this request is processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying operating system (OS).”

The second critical flaw exists in the web-based management interface of Cisco DNA Spaces Connector, and could enable an unauthenticated, remote attacker to execute arbitrary commands on an affected device.

Cisco DNA Spaces is a location aware, task management cloud-based application. The connector helps users connect DNA Spaces in their environment.

“A successful exploit could allow the attacker to execute arbitrary commands on the underling operating system with privileges of the web-based management application, which is running as a restricted user,” according to Cisco.

Finally, Cisco fixed a glitch in the REST API of Cisco IoT Field Network Director (FND) – its network management system for FAN deployment at scale – which could allow an unauthenticated, remote attacker to access the back-end database of an affected system. A successful exploit could allow the attacker to access the back-end database of the affected device and read, alter, or drop information, according to Cisco.

The newest slew of patches comes after Cisco rushed out a patch for a critical vulnerability in its Security Manager, after proof-of-concept (PoC) exploit code was published. And, last week, the networking giant warned of a high-severity flaw in Cisco’s IOS XR software that could allow unauthenticated, remote attackers to cripple Cisco Aggregation Services Routers (ASR). Cisco also recently disclosed a zero-day vulnerability in the Windows, macOS and Linux versions of its AnyConnect Secure Mobility Client Software.