New Cisco Webex Meetings flaw allows attackers to impersonate users

A flaw in Cisco Webex Meetings client for Windows could allow local authenticated attackers to gain access to sensitive information.

A vulnerability in Cisco Webex Meetings client for Windows, tracked as CVE-2020-3347, could be exploited by local authenticated attackers to gain access to sensitive information.

“A vulnerability in Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system.” reads the advisory published by Cisco.

“The vulnerability is due to unsafe usage of shared memory that is used by the affected software. An attacker with permissions to view system memory could exploit this vulnerability by running an application on the local system that is designed to read shared memory. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens that could aid the attacker in future attacks.”

Threat actors could trigger the flaw in the popular video conferencing platform to steal sensitive data, including usernames, authentication tokens, and meeting information.

The CVE-2020-3347 vulnerability is an information disclosure issue that affects versions of the Cisco Webex Meetings Desktop App for Windows releases earlier than 40.6.0.

The Cisco Webex Meetings desktop client for Windows uses in an unsafe way shared memory to exchange information with the underlying OS Windows OS and other apps on the system.

“Once the application is installed, it adds a tray app that is started once a user logs on and has some dependent processes launched as well at that time. If a user has configured the client to log in automatically (default case), the following applies.” reads a post published by Trustwave SpiderLabs Security Research Manager Martin Rakhmanov that reported the flaw on April 23.

“The client has several memory-mapped files (sections in Windows terms) open and some are not protected from opening for reading/writing by any other Windows user.”

An attacker could also use the stolen information to access the victim’s WebEx account.

The researcher discovered a specific session called:

\Sessions\\BaseNamedObjects\WBXTRA_TRACE_FILE_EX

that contains all the information that need an attacker could use to impersonate the owner of a Web-Ex account, such as an e-mail account to log in, the URL used to host meetings, and when a user starts a meeting the WebExAccessToken,

The vulnerability affects systems that have been configured to log in automatically.

Attackers could use the stolen data used to view and edit meetings, download meeting recordings.

The expert also published a video PoC of the attack.

Cisco has already addressed the vulnerability with the release of Cisco Webex Meetings Desktop App for Windows releases 40.6.0 and later (versions 39.5.26 and later for lockdown versions). The company informed its users that there are no available workarounds at the moment.

The good news is that Cisco is not aware of public reports or malicious use of this vulnerability.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WebEx)

[adrotate banner=”5″]

[adrotate banner=”13″]