Cisco Webex Meetings flaw?

A new vulnerability found in the Cisco Webex Meetings client for Windows could allow local authenticated attackers to gain access to sensitive information including usernames, authentication tokens, and meeting information.

Cisco Webex Meetings is a video conferencing and online meeting software for scheduling and joining meetings, with support for presentations, screen sharing, and recording. The information disclosure vulnerability tracked as CVE-2020-3347 affects Cisco Webex Meetings Desktop App for Windows releases earlier than 40.6.0 and it was reported by Trustwave SpiderLabs Security Research Manager Martin Rakhmanov on April 23.

Auth tokens exposed via shared memory

CVE-2020-3347 is caused by the unsafe usage of shared memory the Cisco Webex Meetings desktop client for Windows employs to exchange information with the underlying Windows OS and other apps on the system. This shared memory space could store highly sensitive information including auth tokens, usernames, and meeting info which could be stolen by a malicious local user or process and later used to login with the victim’s WebEx account.

Rakhmanov has found that the improperly secured trace files contain e-mail accounts to log in, the URL used to host meetings, as well as the WebExAccessToken, information that can be used by attackers “to impersonate the user and get access to the WebEx account. The stolen account can be thus leveraged as part of future attacks or immediately utilized to view and edit meetings, download meeting recordings, and more.

The memory information leakage flaw affects systems where the Cisco Webex Meetings Windows app has been configured to log in automatically — this is the default and most common configuration. A video demo of an attack scenario, using proof-of-concept code Trustwave can be seen below.

 

CVE-2020-3347 mitigation

At the moment, there are no known workarounds that address this information disclosure vulnerability but Cisco has released free software updates to fix the underlying issues on June 17, 2020. Cisco patched CVE-2020-3347 in Cisco Webex Meetings Desktop App for Windows releases 40.6.0 and later (versions 39.5.26 and later for lockdown versions). Cisco’s Product Security Incident Response Team (PSIRT) was not aware of public reports or malicious use of this flaw when the advisory was published.

Windows users can update their clients using the instructions available in the Update the Cisco Webex Meetings Desktop App help center article, while admins can update the app for their user base using the procedure detailed in the IT Administrator Guide for Mass Deployment of the Cisco Webex Meetings Desktop App.

Cisco addressed two additional high severity security flaws affecting Cisco Webex Meetings Desktop App for Windows and macOS that could allow unprivileged attackers to run arbitrary code and programs on unpatched devices. In February 2019, Cisco also fixed a privilege escalation bug found in the update service of the Cisco Webex Meetings Desktop App for Windows that could have enabled unauthenticated local attackers to elevate privileges and execute arbitrary commands with SYSTEM privileges.

lia Kolochenko, Founder & CEO of web security company ImmuniWeb, Master of Legal Studies (WASHU) & MS Criminal Justice and Cybercrime Investigation (BU), comments:

“The practical exploitation of the vulnerability is very limited given that attacker should already have access to the victim’s machine. Under these circumstances, a creative hacker will easily find a great wealth of alternative attack scenarios that do not require exploitation of any WebEx vulnerabilities.

“I think we can score this specific issue as a “low risk” vulnerability even in the worst case scenario. Moreover, I guess it was patched mostly because of the COVID-19 hype and growing speculations about insecurity of conferencing software.

“The security flaw is, however, a pretty embarrassing ignorance of the most foundational basis of secure software development best practices. Users that share their machines with third parties should install the available security update without delay.”

See more cyber security news here.

Georgina Turner image

Georgina Turner

Sales Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Graphic displaying a lockdown solution

Netgenium debuts next gen display and touchscreen technologies

Power-over-Ethernet (PoE) solutions specialist Netgenium will be showcasing its new range of IP…

ICT® Launches New TSL Access Reader Series

Integrated Control Technology (ICT®), a leading manufacturer of intelligent access control and…
Image Provided by Paxton

Paxton Partners with Skills for Security

The security technology manufacturer Paxton is proud to announce a partnership with Skills for Security…
Image Provided by ICT

ICT and Ingram Micro sign distribution agreement MEA

Integrated Control Technology (ICT), award-winning global manufacturer of intelligent electronic access control and security solutions..
Image Provided by Toshiba

Toshiba launches new HDD Innovation Lab

Toshiba Electronics Europe GmbH (Toshiba) has inaugurated a new HDD Innovation Laboratory (HDD Innovation Lab) at its site in Düsseldorf..
Image Provided by Verkada

Verkada Doubles Down on the Channel with Strategic New Hire

Verkada, a leader in cloud-based physical security, today announced the appointment of Micah Deriso as Head of Global Channel…
Image Provided by IPSA

IPSA Appoint Frontline Hero as Ambassador

Abdullah, the courageous security officer praised for foiling a horrific knife attack at Leicester Square, has been appointed as…
Image Provided by Codelocks

New Surface Latch from Codelocks

Codelocks is expanding its Gate Solutions by Codelocks range with the introduction of the new Codelocks’ Surface Latch…
Image provided by Genetec

Nicholas Smith to Lead Genetec UK and Ireland Operations

Genetec, provider of enterprise physical security software, announced the appointment of Nicholas Smith as its new Regional Sales Director…
Scroll to Top