Cybersecurity specialists report finding at least 3 vulnerabilities in Cisco Webex Meetings and Cisco Webex Meetings Server, which are part of the Cisco video conferencing platform. Successful exploitation of these vulnerabilities would allow threat actors to access sensitive information on affected systems.
Below are brief reviews of reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-344: This flaw exists due to poor security mechanisms in the application, which could expose sensitive user information. Threat actors could exploit Webex’s list to collect sensitive information.
This is a medium security flaw that received a score of 4.6/10.
CVE-2020-3471: A synchronization issue between meeting and media services on a vulnerable Webex site allows remote threat actors to send specially designed requests to maintain the audio connection in a Webex session even if the intruder is ejected.
The flaw received a score of 5.7/10 on the CVSS scale.
CVE-2020-3419: Improper handling of authentication tokens by a vulnerable Webex site would allow remote hackers to send specially designed requests and join meetings without appearing on the participant list, as well as enjoying full access to audio, video, chat, and screen sharing features.
The vulnerability received a score of 5.7/10 and allows remote threat actors to join Webex sessions without appearing on the official list.
These three flaws reside in the following versions:
- Cisco WebEx Meetings Server: 3.0MR3 Patch 4, 4.0MR3
- Cisco Webex Meetings: 40.10.9
Although these flaws can be exploited by unauthenticated remote threat actors, specialists have not detected attempts at active exploitation or the existence of malware associated with exploitation. Security patches are now ready, so users of affected installations are advised to update as soon as possible.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.