Attacker Joins as “Ghosts” in Webex Meetings

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list. This vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. A successful exploit requires the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords. The attacker could then exploit this vulnerability to join meetings, without appearing in the participant list, while having full access to audio, video, chat, and screen sharing capabilities. Cisco addressed this vulnerability on November 17, 2020, in Cisco Webex Meetings sites.

 

To exploit the flaw, attackers can be remote however, they would need access to join the Webex meetings, including applicable meeting “join” links and passwords. However, the practical implications are significant when considering information, a “ghost” could obtain in a meeting that assumed he or she was absent from. Once they have meeting access, an attacker could exploit the flaw by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. The bad actor could then exploit this vulnerability to join meetings without appearing in the participant list them full access to audio, video, chat and screen sharing capabilities.

 

CVE-ID: CVE-2020-3419

 

Critical Cisco Flaws:

 

  • The first flaw was in the API subsystem of the Cisco Integrated Management Controller (IMC) that could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges. Cisco IMC is a baseboard management controller that provides embedded server management for Cisco UCS C-Series Rack Servers and Cisco UCS S-Series Storage Servers allowing system management in the data center and across distributed branch-office locations.

 

  • The second critical flaw exists in the web-based management interface of the Cisco DNA Spaces Connector and could enable an unauthenticated, remote attacker to execute arbitrary commands on an affected device. Cisco DNA Spaces is a location-aware, task management cloud-based application. The connector helps users connect DNA Spaces in their environment.

 

  • Then a high-severity flaw in Cisco’s IOS XR software detected that could allow unauthenticated, remote attackers to cripple Cisco Aggregation Services Routers (ASR). Cisco also recently disclosed a zero-day vulnerability in the Windows, macOS ,and Linux versions of its AnyConnect Secure Mobility Client Software.

 

Remediation:

 

  • Keep the number of Webex administrators to a minimum to have fewer opportunities for site settings errors.
  • Creating unlisted meetings maintains the security of sensitive information.
  • Provide password protection to strengthen the security of all your meetings, events, and training sessions.
  • All users must have an account on the WebEx site if sensitive meetings, events, or training sessions are hosted there.
  • Change password at regular intervals and set a minimum time interval when users can change their password
  • Require passwords for all meetings, events, and sessions and from phone or video systems. Only people with the password can get into the meeting – no matter what device or application they are calling from.
  • Do not allow Join before Host. This keeps participants in a waiting room until the host joins the conference.
  • Enforce personal room locking after a default time. When people join your personal meeting room, this will automatically lock the room after a period to keep someone from joining mid-meeting without permission.