Three vulnerabilities in Cisco Webex Meetings and Webex Server allow hackers to spy on users during sessions

Cybersecurity specialists report finding at least 3 vulnerabilities in Cisco Webex Meetings and Cisco Webex Meetings Server, which are part of the Cisco video conferencing platform. Successful exploitation of these vulnerabilities would allow threat actors to access sensitive information on affected systems.

Below are brief reviews of reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-344: This flaw exists due to poor security mechanisms in the application, which could expose sensitive user information. Threat actors could exploit Webex’s list to collect sensitive information.

This is a medium security flaw that received a score of 4.6/10.

CVE-2020-3471: A synchronization issue between meeting and media services on a vulnerable Webex site allows remote threat actors to send specially designed requests to maintain the audio connection in a Webex session even if the intruder is ejected. 

The flaw received a score of 5.7/10 on the CVSS scale.

CVE-2020-3419: Improper handling of authentication tokens by a vulnerable Webex site would allow remote hackers to send specially designed requests and join meetings without appearing on the participant list, as well as enjoying full access to audio, video, chat, and screen sharing features.

The vulnerability received a score of 5.7/10 and allows remote threat actors to join Webex sessions without appearing on the official list.

These three flaws reside in the following versions:

  • Cisco WebEx Meetings Server: 3.0MR3 Patch 4, 4.0MR3
  • Cisco Webex Meetings: 40.10.9

Although these flaws can be exploited by unauthenticated remote threat actors, specialists have not detected attempts at active exploitation or the existence of malware associated with exploitation. Security patches are now ready, so users of affected installations are advised to update as soon as possible.