Cisco is rolling out fixes for three vulnerabilities in its Webex video-conference software that made it possible for interlopers to eavesdrop on meetings as a “ghost,” meaning being able to view, listen, and more without being seen by the organizer or any of the attendees.
The vulnerabilities were discovered by IBM Research and the IBM’s Office of the CISO, which analyzed Webex because it’s the company’s primary tool for remote meetings. The discovery comes as work-from-home routines have driven a more than fivefold increase in the use of Webex between February and June. At its peak, Webex hosted up to 4 million meetings in a single day.
The vulnerabilities made it possible for an attacker to:
- Join a meeting as a ghost, in most cases with full access to audio, video, chat, and screen-sharing capabilities
- Maintain an audio feed as a ghost even after being expelled by the meeting leader
- Access full names, email addresses, and IP addresses of meeting attendees, even when not admitted to a conference room.
Cisco is in the process of rolling out a fix now for the vulnerabilities, which are tracked as CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419. Below is a video demonstration and deeper explanation:
Manipulating the handshake
Attacks work by exploiting the virtual handshake that Webex uses to establish a connection between meeting participants. The process works when an end user and server exchange join messages that include information about the attendees, the end-user application, meeting ID, and meeting-room details. In the process, Webex establishes a WebSocket connection between the user and the server.
“By manipulating some of the key fields about an attendee sent over a WebSocket when joining a meeting, the team was able to inject the carefully crafted values that allow someone to join as a ghost attendee,” IBM researchers wrote in a post published on Wednesday. “This worked because of improper handling of the values by the server and other participants’ client applications. For example,…