A new vulnerability found in the Cisco Webex Meetings client for Windows could allow local authenticated attackers to gain access to sensitive information including usernames, authentication tokens, and meeting information.
Cisco Webex Meetings is a video conferencing and online meeting software for scheduling and joining meetings, with support for presentations, screen sharing, and recording. The information disclosure vulnerability tracked as CVE-2020-3347 affects Cisco Webex Meetings Desktop App for Windows releases earlier than 40.6.0 and it was reported by Trustwave SpiderLabs Security Research Manager Martin Rakhmanov on April 23.
Auth tokens exposed via shared memory
CVE-2020-3347 is caused by the unsafe usage of shared memory the Cisco Webex Meetings desktop client for Windows employs to exchange information with the underlying Windows OS and other apps on the system. This shared memory space could store highly sensitive information including auth tokens, usernames, and meeting info which could be stolen by a malicious local user or process and later used to login with the victim’s WebEx account.
Rakhmanov has found that the improperly secured trace files contain e-mail accounts to log in, the URL used to host meetings, as well as the WebExAccessToken, information that can be used by attackers “to impersonate the user and get access to the WebEx account. The stolen account can be thus leveraged as part of future attacks or immediately utilized to view and edit meetings, download meeting recordings, and more.
The memory information leakage flaw affects systems where the Cisco Webex Meetings Windows app has been configured to log in automatically — this is the default and most common configuration. A video demo of an attack scenario, using proof-of-concept code Trustwave can be seen below.
CVE-2020-3347 mitigation
At the moment, there are no known workarounds that address this information disclosure vulnerability but Cisco has released free software updates to fix the underlying issues on June 17, 2020. Cisco patched CVE-2020-3347 in Cisco Webex Meetings Desktop App for Windows releases 40.6.0 and later (versions 39.5.26 and later for lockdown versions). Cisco’s Product Security Incident Response Team (PSIRT) was not aware of public reports or malicious use of this flaw when the advisory was published.
Windows users can update their clients using the instructions available in the Update the Cisco Webex Meetings Desktop App help center article, while admins can update the app for their user base using the procedure detailed in the IT Administrator Guide for Mass Deployment of the Cisco Webex Meetings Desktop App.
Cisco addressed two additional high severity security flaws affecting Cisco Webex Meetings Desktop App for Windows and macOS that could allow unprivileged attackers to run arbitrary code and programs on unpatched devices. In February 2019, Cisco also fixed a privilege escalation bug found in the update service of the Cisco Webex Meetings Desktop App for Windows that could have enabled unauthenticated local attackers to elevate privileges and execute arbitrary commands with SYSTEM privileges.
lia Kolochenko, Founder & CEO of web security company ImmuniWeb, Master of Legal Studies (WASHU) & MS Criminal Justice and Cybercrime Investigation (BU), comments:
“The practical exploitation of the vulnerability is very limited given that attacker should already have access to the victim’s machine. Under these circumstances, a creative hacker will easily find a great wealth of alternative attack scenarios that do not require exploitation of any WebEx vulnerabilities.
“I think we can score this specific issue as a “low risk” vulnerability even in the worst case scenario. Moreover, I guess it was patched mostly because of the COVID-19 hype and growing speculations about insecurity of conferencing software.
“The security flaw is, however, a pretty embarrassing ignorance of the most foundational basis of secure software development best practices. Users that share their machines with third parties should install the available security update without delay.”
See more cyber security news here.
