Cisco Webex bugs allow attackers to join meetings as ghost users

Attackers can join Webex meetings as ghost users, and even remain inside rooms after getting kicked.
Written by Catalin Cimpanu, Contributor
Webex ghost users
Image: Cisco, Oksana Latysheva, ZDNet

Cisco plans to fix three vulnerabilities in the Webex video conferencing app that can allow attackers to sneak in and join Webex meetings as ghost users, invisible to other participants.

The vulnerabilities were discovered earlier this year by security researchers from IBM, who conducted a review of remote working tools the tech software giant was using internally during the coronavirus pandemic.

Researchers said the three bugs, when combined, would have allowed an attacker to:

  1. Join a Webex meeting as a ghost user, invisible to others on the participant list, but with full access to audio, video, chats, and screen sharing.
  2. Remain in a Webex meeting as a ghost audio user even after being expelled from it.
  3. Obtain information on meeting participants, such as full names, email addresses, and IP addresses. This information could also be obtained from the meeting room lobby, even before the attacker was admitted to a call.

IBM researchers said the bugs reside in the "handshake" process that takes place when new Webex meetings are established.

Attackers who gained access to a meeting URL can connect to a Webex server, send malformed packets, and manipulate the server into gaining access to meetings and participants' details.

"In our analysis, we identified the specific values of the client information that could be manipulated during the handshake process to make the attendee invisible on the participants' panel," the IBM research team said in a report shared with ZDNet.

"We were able to demonstrate the ghost attendee issue on MacOS, Windows, and the iOS version of Webex Meetings applications, and Webex Room Kit appliance," the researchers added.

Mitigating circumstances include the fact that the vulnerabilities can only be exploited if attackers know the URLs of scheduled Webex meetings with unique meeting URLs and Webex Personal Rooms.

However, IBM researchers say that "personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner's name and organization name."

Cisco will be releasing patches today for the three Webex vulnerabilities reported by the IBM team — namely CVE-2020-3441CVE-2020-3471, and CVE-2020-3419.

Besides Zoom, Cisco Webex is one of the apps that came on top after the COVID-19 pandemic. It is being reported that Webex usage grew 451% this year, and that at its peak, Webex hosted as many as 4 million meetings in a single day, with as many as 324 million users.

A video summarizing the IBM team's work is also available below:

Editorial standards