On Friday, Cisco apprised clients that it has repaired a flaw that let unauthorized users to join password-protected Webex meetings. Cisco said the fault had been misused.

Tracked as CVE-2020-3142 and classified as high severity, the fault impacted Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites. Nevertheless, Cisco says the fixes apply only to the sites and users are not needed to update their mobile or desktop Webex Meetings applications.

Cisco said the fault allowed an unverified attacker to join password-protected meetings without the necessity to deliver a password. For the verification bypass to work, the attacker would need to start the connection from the iOS or Android versions of the Webex mobile app.

“The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application,” Cisco said in its advisory.

The networking colossus has highlighted that an attacker would have been able to join a password-protected meeting, but they would have been seen by the other attendees.

The susceptibility was exposed during the resolution of a support case and Cisco thinks it has not been openly disclosed. However, the advisory says, “Cisco PSIRT is aware of active use of the vulnerability that is described in this advisory.”

Cisco said that some of its clients had used the susceptibility to access their own meetings, and the company is also aware of “exploitation of the vulnerability by unauthenticated attendees using the mobile app to gain unauthorized access to Webex’s audio capability.”

“Cisco has applied updates to address the vulnerability so further exploitation is not possible,” a Cisco spokesperson said in an emailed statement. “Transparency at Cisco is a matter of top priority. When security issues arise, we handle hem openly and swiftly, so our customers understand the issue and how to address it.”

Leave a Reply

Your email address will not be published. Required fields are marked *