Now patched by Cisco, three flaws in Webex would have given intruders full access to a meeting without being seen, says IBM.When successfully exploited, IBM researchers said that the bugs would have allowed attackers to:
Join a Webex meeting as a ghost without being seen on the participant list with full access to audio, video, chat, and screen sharing capabilities (CVE-2020-3419)
Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection (CVE-2020-3471)
Gain access to information on meeting attendees – including full names, email addresses, and IP addresses – from the meeting room lobby, even without being admitted to the call (CVE-2020-3441)
The researchers were able to successfully demonstrate attacks abusing these Webex bugs on Windows, macOS, and the iOS version of Webex Meetings applications and Webex Room Kit appliance.
Mitigating circumstances include the fact that the vulnerabilities can only be exploited if attackers know the URLs of scheduled Webex meetings with unique meeting URLs and Webex Personal Rooms. However, IBM researchers say that "personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner's name and organization name."
Cisco has patched the cloud-based services for Webex, where no user action is required. For customers who run an on premises version of Webex software, the company has issued patches for Webex Meetings Server. Webex users should view the following Common Vulnerabilities and Exposures (CVEs): CVE-2020-3441; CVE-2020-3471; CVE-2020-3419.