Cisco patches dangerous Webex vulnerability

Cisco is moving to patch a serious vulnerability in version 40.4.12.8 of its Webex video-conferencing Windows client that could allow attackers to open, read and steal potentially valuable or damaging content.

The bug, which will be assigned CVE-2020-3347 on its formal disclosure, was uncovered by Martin Rakhmanov, security research manager at Trustwave SpiderLabs, who has been working with Cisco on a fix.

“Due to the global pandemic of Covid-19, there’s been explosion of video-conferencing and messaging software usage to help people transition their work life to a work-from-home environment,” said Rakhmanov in a disclosure blog.

“Vulnerabilities in this type of software now present an even a greater risk to its users. Cisco Webex is one of the most popular video-conferencing solutions available, so I decided to turn my research skills to seeing how secure the platform is. While I did find a relatively severe memory information leakage vulnerability, we worked with Cisco through our responsible disclosure programme to get this vulnerability patched.”

The vulnerability works thus. Once Webex is installed, it adds a tray app that starts when a user logs in – this app also launches some dependent processes at the same time. If the client is configured to log in automatically – which it will be by default – then the client will have several memory-mapped files open that are unprotected from opening for reading or writing by any other Windows user. One of these files holds information including the login email and the meeting URL.

Malicious users can therefore open and dump the contents of this file if they have logon access to the machine. More simply, said Rakhmanov, a user can loop over sessions and try to open, read and save content.

“Cisco Webex is one of the most popular video-conferencing solutions available, so I decided to turn my research skills to seeing how secure the platform is. While I did find a relatively severe memory information leakage vulnerability, we worked with Cisco to get this vulnerability patched”

Furthermore, if the user starts a meeting, the file will contain an access token that allows anybody to impersonate them and access their Webex account.

“Using the leaked information, I was able to access my own account from another machine with a different IP address. It allowed me to see all meetings along with invited parties and meeting password (if set), download past meeting recordings and so on,” said Rakhmanov.

“In an attack scenario, any malicious local user or malicious process running on a computer where Webex Client for Windows is installed can monitor the memory mapped file for a login token,” said Rakhmanov.

“Once found, the token, like any leaked credentials, can be transmitted somewhere so that it can be used to log in to the Webex account in question, download recordings, view and edit meetings, and so on.”

Both TrustWave and Cisco, which has released its own advisory on the vulnerability, are recommending users apply the patch as soon as possible.

Earlier this week, Cisco announced a number of security enhancements for its Webex service, which currently supports three times the volume of traffic it did in pre-pandemic days – it saw 25 billion meeting minutes in April alone, by Cisco’s reckoning.

Cisco has now extended its data loss prevention (DLP) retention, Legal Hold and eDiscovery to Webex meetings, bringing additional security and protection for meeting content such as recordings and transcriptions; enhanced analytics for IT teams in the Webex Control Hub to better control meeting room usage and changing work patterns – particularly as people start to return to their offices; and full Box integration, which will sit alongside existing built-in file-sharing capabilities. 

The new features were announced at a virtual Cisco Live event, at which the firm also formally launched its end-to-end SecureX service.