Three vulnerabilities have been identified in the Webex Meetings product line from Cisco Systems that allow you to illegally join a video conference and monitor its progress without disclosing your presence. Cisco profile cloud services have patched, patches for mobile and server Webex applications are already available, the rest are scheduled for release on November 24.
According to the authors of the find, new issues are related to the ability to manipulate the data that the Webex client and the backend server exchange during the handshake. The implementation of the invisible participant in Webex video conferencing and Personal Rooms has been successfully replicated on macOS, Windows, and iOS.
Presenting the results of the vulnerability analysis, IBM experts noted that exploitation in all cases is possible only if the URL of the planned event is available and is performed by submitting a special request to the target server.
According to Cisco’s descriptions, the new loopholes collectively allow an attacker to do the following:
- Join a Webex conference without being on any list of attendees and gain full access to audio, video, chat, and text and graphics ( CVE-2020-3419 ).
- Listen to performances even after being blacklisted ( CVE-2020-3471 ).
- Collect information about conference participants such as full name, email, IP address, etc. ( CVE-2020-3441 ).
This year, the popularity of the Webex platform, according to IBM, has increased 5.5 times, apparently due to COVID-19. During peak days, telecommuters held 4 million Webex meetings with up to 324 million attendees.