Critical Webex Bugs Let "Ghost" Users Spy on Meetings

Researchers have discovered three dangerous security flaws in CISCO”s popular video conferencing tool, Webex. In the researchers” words, the flaws can allow anyone to become a “ghost,” joining a meeting without being detected.

Discovered by IBM”s Office of the CISO, the flaws came to light after Gartner noted a considerable spike in video conferencing associated with the pandemic. Big Blue was no exception to the rule, having increased its own use of such tools – primarily Webex. Poking around the platform for bugs, the geeks at IBM discovered three nasty vulnerabilities that could allow somebody to:

1. Join a Webex meeting as a ghost without being seen on the participant list, with full access to audio, video, chat and screen-sharing capabilities.
2. Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection.
3. Gain access to information on meeting attendees — including full names, email addresses and IP addresses — from the meeting room lobby, even without being admitted to the call.

The flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms, with the Rooms being a bit easier to exploit “because they are often based on a predictable combination of the room owner”s name and organization name,” according to IBM.

Switchzilla tracks the bugs as follows:

Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability (CVE-2020-3419)

Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability (CVE-2020-3471)

Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability (CVE-2020-3441)

All three vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants. In the case of CVE-2020-3419, the weakness is yielded by the improper handling of authentication tokens by a vulnerable Webex site. To exploit CVE-2020-3471, a malicious actor would take advantage of a synchronization issue between meeting and media services on a vulnerable Webex site. And in the case of CVE-2020-3441, insufficient protection of sensitive participant information is to blame.

“A malicious actor can become a ghost by manipulating these messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others,” IBM researchers said.

The second flaw is especially worrisome, as it can allow a ghost to stay in a meeting unseen by others, even after being expelled by the host.

“We identified that we could maintain the working bidirectional audio communication while a server thought the connection from an attendee dropped — meaning the attendee disappeared from the participants panel and became a ghost,” the researchers said.

Since their discovery, CISCO has addressed these vulnerabilities. The “sites” component is taken care of, but users of CISCOWebex Meetings Server must install 3.0MR3 Security Patch 5 or 4.0MR3 Security Patch 4 to close these holes. The advisories also mention Webex Meetings apps for iOS and Android as being affected, so be sure to download and install the latest version of those as well.