Cisco today fixed three security vulnerabilities in Webex Meetings that allowed unauthorized remote intruders to participate in meetings as ghost participants.
Cisco Webex is one on-line meeting and video conferencing software that can be used to schedule and attend meetings. It provides users with presentation, screen sharing and recording capabilities.
Cisco's remote conference platform saw a 451% increase in usage over four months due to the COVID-19 pandemic, and hosts about 4 million meetings a day for its 324 million users at its peak.
Malicious users who abused the patched security vulnerabilities could become "ghost" users and could join a meeting without being detected, IBM researchers discovered while analyzing the tool Cisco Vulnerability Partnership.
"Ghost" users are participants in a meeting that are not visible in the list of users and have not been invited to the meeting, but can listen, talk and share in the meeting.
The three errorτα επέτρεψαν επίσης στους επιτιθέμενους να παραμείνουν στη σύσκεψη Webex και να διατηρήσουν μια αμφίδρομη σύνδεση ήχου ακόμα και μετά την αφαίρεση τους από τους διαχειριστές είχαν access to Webex user information such as email addresses and IP addresses from the meeting "room".
IBM researchers provided the following errors which allowed attackers to:
- Participate in a Webex meeting as "Ghost" without appearing on the attendee list with full access to audio, video, chat and screen sharing features (CVE-2020-3419)
- Stay in a Webex meeting as a "Ghost" even if they are expelled from it, maintaining the audio connection (CVE-2020-3471)
- Access meeting meeting information - full names, email addresses and IP addresses even without being accepted into the call (CVE-2020-3441)
Cisco recommends that users immediately update to the latest version of Webex to secure meetings from intruders trying to exploit these vulnerabilities.