Cisco has addressed a high-severity flaw within the Cisco Webex video conferencing platform that would be exploited by a remote, unauthenticated attacker to join a Webex session without appearing on the participant list.
This vulnerability is because of improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site.
“An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s browser. The browser will then request to launch the device’s Webex mobile application,” wrote Cisco in a Friday advisory. Then, the intruder can access the exact meeting through the mobile Webex app, no password is required.
This vulnerability affected all Cisco Webex Meetings sites before November 17, 2020. At the time of publication, this vulnerability also affected all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android.
The following releases of Cisco Webex Meetings Server, which is on-premises: 3.0MR Security Patch 4 and earlier, 4.0MR3 Security Patch 3 and earlier are also affected, declares Cisco.
Cisco addressed this vulnerability on November 17, 2020, in Cisco Webex Meetings sites, which are cloud-based. No user action is required, according to Cisco.
when considering software upgrades, customers are advised to regularly check with the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
Fixed Releases from Cisco
Cisco Webex Meetings mobile app releases 40.11 and later contained the fix for this vulnerability.
Cisco Webex Meetings Server releases contained the fix for this vulnerability: 3.0MR3 Security Patch 5 and 4.0MR3 Security Patch 4. Customers are asked to update the software releases.
The report published by IBM says, “Malicious actors could abuse these flaws to become a ‘ghost’ joining a meeting without being detected”. The now-patched flaws were discovered by IBM researchers. In conclusion, Cisco has patched cloud-based Cisco Webex Meetings sites and released security updates for on-premises software to address the flaws.