WebEx is a video conferencing tool powered by CISCO.
With COVID-19 wreaking havoc globally, working from home is the new norm. With this, it is only natural that video conferencing tools have gained widespread adaptation ranging from the famed Zoom to Microsoft Teams.
This, though also has brought greater attention to these tools with the value they represent to attackers and therefore vulnerabilities within them are being found every day, some by the attackers themselves and some by concerned security researchers.
A case of the latter has emerged just recently when a researcher named Martin Rakhmanov from Trustwave went on to discover a critical flaw in Cisco WebEx, another major video conferencing tool in the industry.
Identified as CVE-2020-3347; the vulnerability was found on WebEx’s Meeting client on Windows with version 220.127.116.11.
“Once the application is installed, it adds a tray app that is started once a user logs on and has some dependent processes launched as well at that time,” states Martin. With this, if the default option of the client logging in automatically is enabled, it allows an attacker to unauthorizedly read and write a trace file which can be very dangerous in terms of security.
The reason is that the file contains the email address used to login to a meeting and a URL that is used to host meetings. Access to them can allow the threat actors to login to the WebEx account of the legitimate user in question.
Explaining further, the researcher states in their blog post that “When a user starts a meeting, the trace file will also contain a
WebExAccessToken which allows anyone to impersonate the user and get access to the WebEx account.”
In an attack scenario, any malicious local user or malicious process running on a computer where WebEx Client for Windows is installed can monitor the memory-mapped file for a login token. Once found the token, like any leaked credentials, can be transmitted somewhere so that it can be used to login to the WebEx account in question.
As an example, Martin also tried doing it himself and was successful logging into his own account from a different device with a completely different IP address. This allowed him to see a list of all meetings along with those invited to participate.
Not only this, but he could also download the recordings of previous meetings which makes the attack much more dangerous.
The entire attack has been documented in the video below:
To conclude, due to a responsible disclosure to Cisco, a patch has been released just a day ago by the company. WebEx users are recommended to update immediately in order to be safe from any such attacks.
On the other hand, as a parting note, it is important to remember that various security flaws have also been observed in other tools like Zoom in the past so users shouldn’t really lose confidence in WebEx because of this – seeing the fastly changing environment, these discoveries and fixes are inevitable.