Cisco WebEx bug invites Ghost users 🤡

The increase in usage of remote conference also brings the question of security and data privacy. Researchers at IBM analysed one such popular offering, Cisco’s Webex, and discovered three vulnerabilities in the service that could let attackers join a meeting as a “ghost” without being detected.

The bugs resulted in such bad actors being able to not just joining a meeting secretly, but also stay in a meeting as an audio participant even after being “expelled”. The attacker could also gain details about meeting attendees from the lobby without even entering the call. Even when such an actor enters the call, the only indication is in the form of a connection beep, something that could be ignored in meetings with many attendees. IBM says that it found that the vulnerabilities affect both scheduled meetings and unique meetings with specific URLs.

The researchers explain that the vulnerabilities work when attackers exploit the “handshake” process between Webex client at the user’s end and the server. Attackers could manipulate the request sent over the WebSocket – a connection between the client and the server – due to “improper input validation and sanitization” and inject specially designed values into the request to join as a ghost host. The researchers successfully tested the scenarios and could join the meeting without being present in the participants’ list and without being detected.

IBM says that it immediately shared the details of its finding with Cisco owing to the severity and urgency of the issues. The networking company worked on a fix for the said vulnerabilities, for which it released security advisories today. The three bugs are labeled CVE-2020-3441, CVE-2020-3471, CVE-2020-3419 and have been successfully fixed. Since the issue affected Webex clients on most platforms, the firm recommends that users update their apps to the latest versions.