Pierluigi Paganini November 18, 2020

Cisco has addressed three flaws in Webex Meetings that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants.

Cisco has addressed three vulnerabilities in Webex Meetings (CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419) that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants.

“A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list.” reads the security advisory published by Cisco.

The vulnerabilities were discovered earlier this year by security by IBM researchers as part of an assessment of the tools used by its personnel for remote working during the COVID-19 pandemic.

Ghost participants to a meeting could be seen in the user list, but they can access any media within the meeting, even if they were not invited.

The flaws also allowed attackers to remain in the Webex meeting as ghost audio users after admins would remove them, they also allowed them to access Webex users’ information, including full names, email addresses, and IP addresses.

The bugs affect Cisco Webex Meetings and Cisco Webex Meetings Server, they reside in the “handshake” process that allows establishing a new Webex meeting.

“Malicious actors could abuse these flaws to become a ‘ghost’ joining a meeting without being detected.” reads the report published by IBM. “The now-patched flaws, discovered by IBM researchers, would have allowed an attacker to:

1. Join a Webex meeting as a ghost without being seen on the participant list with full access to audio, video, chat and screen-sharing capabilities.
2. Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection.
3. Gain access to information on meeting attendees — including full names, email addresses and IP addresses — from the meeting room lobby, even without being admitted to the call.”

The experts were able to exploit the flaws on MacOS, Windows, and the iOS version of Meetings applications and Webex Room Kit appliance.

IBM experts also published a video PoC of the attack.

“Once a host starts or unlocks a meeting, a ghost could slip in and join the meeting using the handshake manipulation, without ever showing up on any participant list, including the host’s participant list. The ghost could see and hear other participants, as well as view shared screens and chat without revealing their presence.” continues the report.

“With this technique, the only indication the participants would have that they may not be alone is the beep of a new audio connection. For especially large meetings, the host might disable the entry and exit tone, allowing the ghost to enter perfectly stealthily. In other instances, the ghost’s entry tone would play, but may go unnoticed by the host or other participants who aren’t counting and associating each tone with a specific participant.”

Cisco has patched cloud-based Cisco Webex Meetings sites and released security updates for on-premises software to address the flaws.

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

[adrotate banner=”5″]

[adrotate banner=”13″]