What was the Vulnerability?
The webex vulnerability stems from a meeting join flaw that exposes the Meeting ID in the URL of the mobile device’s web browser. A hacker could then use this Meeting ID to join a private password-protected meeting. Before the fix, this vulnerability could be exploited from either an iOS or Android Webex mobile application. Furthermore, the hacker would not need to provide a meeting password to join the meeting. “The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application,” wrote Cisco in its advisory last Friday. However, Cisco points out that unauthorized attendees would be visible in the attendee list of the meeting as a mobile attendee. Consequently, authorized members would be aware of the hacker’s presence and could take appropriate actions.
How was the Webex Vulnerability Discovered?
The vulnerability was discovered while Cisco was resolving a support case. Although Cisco believes the vulnerability was not publicly disclosed, the advisory says: “Cisco PSIRT [Cisco Product Security Incident Response Team] is aware of active use of the vulnerability that is described in this advisory.” According to a SecurityWeek article, Cisco informed the publication that the Webex vulnerability had been exploited. However, the exploitation originated from Webex users who had used the vulnerability to access their own meetings.
How to Fix the Webex Vulnerability
The Cisco Webex vulnerability affects Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites releases earlier than 39.11.5 and 40.1.3, respectively. Cisco states that patches were only required to their Webex sites. Consequently, users don’t need to update their mobile or desktop Webex Meeting applications. Cisco has since applied the updates to their sites to address the vulnerability. Therefore, further exploitation of the vulnerability is no longer possible. Moreover, Cisco confirmed that the vulnerability did not affect the Webex Meeting Server.