Cisco implements fix for Webex flaws that allow hackers to spy on meetings
Cisco is implementing fixes for three vulnerabilities in its Webex video conferencing software that allowed intruders to spy on meetings as “ghosts,” meaning they can see, hear, and more without being seen by the host or by anyone else. assistants.
The vulnerabilities were discovered by IBM Research and the IBM CISO office, which analyzed Webex as it is the company’s primary tool for remote meetings. The discovery comes as work-from-home routines increased Webex usage more than five-fold between February and June. At its peak, Webex hosted up to 4 million meetings in a single day.
The vulnerabilities allowed an attacker to:
- Join a meeting like a ghost, in most cases with full access to audio, video, chat and screen sharing features
- Keep an audio stream like a ghost even after being kicked out by the meeting manager
- Access the full names, email addresses, and IP addresses of meeting participants, even if they are not allowed into a conference room.
Cisco is in the process of implementing a patch for the vulnerabilities, which are tracked as CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419. Below is a video demonstration and more detailed explanations:
IBM is working with Cisco to exorcise ghosts from Webex meetings.
Manipulating the handshake
The attacks work by taking advantage of the virtual handshake that Webex uses to establish a connection between meeting participants. The process works when an end user and a server exchange messages that contain information about attendees, end user application, meeting ID, and meeting room details. In the process, Webex establishes a WebSocket
connection between user and server.
“By manipulating some of the key fields on an attendee sent through a WebSocket while joining a meeting, the team was able to inject the carefully crafted values that allow someone to join as a phantom attendee,” the team wrote. IBM researchers in a article published wednesday. “It worked because of poor handling of values by the server and client applications of other participants. For example, injecting null values into the “Lock” and “CB_SECURITY_PARAMS” fields caused a problem “.
Elsewhere in the report, the researchers wrote:
A malicious actor can become a ghost by manipulating these messages during the negotiation process between the Webex client application and the Webex back-end server to join or stay in a meeting without being seen by others. In our analysis, we identified specific values of customer information that could be manipulated during the contact process to make the attendee invisible in the attendee panel. We were able to demonstrate the phantom attendee issue on MacOS, Windows, and the iOS version of the Webex Meetings apps and the Webex Room Kit device.
The only clue that attendees would have that a ghost has infiltrated a meeting is a beep when the ghost joins it. Tones are sometimes turned off by conference leaders, and even when the tones remain on, it is often difficult to count the number of beeps to ensure they match the number of participants.
There is also little to no indication of when someone exploits the vulnerability that allows them to stay in a meeting after being kicked or fired. This often happens when a leader holds back-to-back meetings with different participants. In these cases, the ghost can hear the meeting, but does not have access to video, chat, or screen sharing.
Wednesday’s report said:
Even with best practices, a host can still end up in a meeting with an unwanted guest that needs to be deleted, whether it’s someone who failed the meeting (for example, “ Zoombombed ”) or a participant who failed. is away from your computer and you forgot to log out. Either way, the host has the power to kick participants out, but how do you know they’re really gone? It turns out that with this vulnerability, it’s extremely difficult to tell. Not only could an attacker join meetings undetected or disappear while maintaining audio connectivity, they could also simply ignore the host’s cutoff order, stay in the meeting, and maintain the audio connection.
Ghosts can use exploits that allow ghost helpers to gain confidential or proprietary information. The vulnerability that allows attackers to obtain personal data from participants could be especially useful during the massive shift from work to home, as home networks often do not have the same security defenses as in work facilities. The vulnerabilities affect Cisco Webex software released before Wednesday. Cisco has more details here