Zero day bug without patch in Cisco Meetings App, Cisco Webex Meeting allow intercepting traffic

Malware reverse engineering experts disclosed the finding of two critical flaws affecting Cisco’s Webex Meetings and Meeting App. Successful exploitations of these vulnerabilities would allow malicious hackers to bypass authentication mechanisms on the affected systems.

Below are brief overviews of the reported vulnerabilities, in addition to their respective scores and tracking keys according to the Common Vulnerability Scoring System (CVSS). It should be remembered that one of these flaws has not been yet patched.

CVE-2020-3197: Insufficient protection mechanisms for the TURN server credentials allow remote threat actors to bypass the authentication process on Cisco Meeting App by intercepting legitimate traffic generated by an affected system. This is a medium severity vulnerability that received a CVSS score of 4/10.

Cisco has not released a security update to address CVE-2020-3197.

CVE-2020-3345: An improper check on parameter values within affected pages could lead to arbitrary URL attacks in Cisco Webex Meetings. Malicious hackers can create a link to a trusted website; when victims click on the link, they are redirected to an arbitrary domain.

According to malware reverse engineering experts, a successful attack would allow remote hackers to perform phishing attacks and steal confidential information. The flaw got a CVSS score of 3.8/10, as it is considered a low severity bug.

A security patch for CVE-2020-3345 has been already released, so admins of affected implementations should check its correct installation.

Even though these flaws could be exploited by remote, non-authenticated threat actors, malware reverse engineering experts have not tracked active exploitation attempts or a malware variant linked to the attack. Cisco will release more details as soon as the exploitation risk is surpassed.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.