Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/18/2020
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cisco Patches Flaw in Webex Videoconferencing App

Vulnerability would have allowed an attacker to gain access to sensitive information on a system, Trustwave's SpiderLabs says.

Cisco has patched a security flaw in its Webex for Windows videoconferencing and messaging software that would have allowed an authenticated attacker to impersonate a legitimate user, download recordings, view or edit meeting information, and steal usernames and other data.

The vulnerability — tracked as CVE-2020-3347 — resulted from what Cisco described as the unsafe use of shared memory in versions of Webex Meetings Desktop App for Windows earlier than 40.6.0. It's one of three flaws in Webex for which the company issued patches this week.

The affected versions of Webex use shared memory to exchange sensitive information such as authentication tokens, usernames, and meeting information with Windows and other applications, the vendor noted. The vulnerability — that a security researcher at Trustwave SpiderLabs recently discovered and reported to Cisco — basically allowed an attacker who already had authenticated access on a system in order to access and retrieve the information from the shared location.

"Malicious users can open and dump contents of this file if they have logon access to the machine," Trustwave said in an advisory on the flaw Thursday. "Simply put, another user can loop over sessions and try to open, read and save interesting contents for future inspection."

Cisco itself rated the vulnerability as being only of medium severity, likely because an attacker would already need to be on a system in order to exploit it. Ilia Kolochenko, founder and CEO of ImmuniWeb, says that fact alone would have severely limited the practical exploitation of flaw. A creative attacker that already had free access to a system would likely not have needed to exploit the Webex flaws to get at the information, he says.

Even so, the flaw represents a failure by the Webex team to follow fundamental software development best practices. "Users that share their machines with third parties should install the available security update without delay," Kolochenko says.

Karl Sigler, senior security research manager at Trustwave's SpiderLabs, says an attacker would not necessarily need to be logged in to a machine directly to take advantage of the Webex flaw. "They could craft malware that when implanted on the victim's system could constantly monitor for Webex tokens," he says. "That would give the attacker access to upcoming meetings, past meetings, and any existing meeting recordings. All of this could leak confidential information to an attacker."

Heightened Risks
The Webex flaw is the latest to highlight what several security researchers have noted is the heightened exposure to data theft and loss that organizations face from the increased use of third-party videoconferencing tools such as Webex, Zoom, and Microsoft Teams by work-from-home employees.

In recent months, security researchers have uncovered relatively serious vulnerabilities in all three platforms even as organizations have been ramping up use of these technologies to support workers forced to work from home because of social-distancing measures.

Earlier this month, for instance, researchers from Cisco Talos discovered two serious vulnerabilities in Zoom, one of which would have allowed attackers to remotely execute code on compromised systems. Security researchers have uncovered multiple other issues with Zoom over the past few months.

Zoom is not the only one with problems. In April, Microsoft scrambled to issue a patch after researchers at CyberArk discovered a flaw in Teams that would have allowed attackers to steal account data using a specially crafted GIF.

Cisco has had its share of issues with Webex as well. Just this week, the company issued patches for two other separately reported security issues in Webex. One of them was an improper input validation error that would have allowed a remote attacker to execute arbitrary code on a vulnerable system (CVE-2020-3263). The second flaw affected a software update feature in Cisco Webex Meetings Desktop App for Mac (CVE-2020-3342) and allowed for remote code execution as well.

Trustwave's Sigler says the takeaway for organizations is to pay closer attention to the collaboration tools they are using. "To minimize your risk, make sure your video [and] messaging solution is kept up to date on patches and make sure that you are using long and strong authentication for both your user accounts and in the actual meetings themselves."

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32238
PUBLISHED: 2021-05-18
Epic Games / Psyonix Rocket League <=1.95 is affected by Buffer Overflow. Stack-based buffer overflow occurs when Rocket League handles UPK object files that can result in code execution and denial of service scenario.
CVE-2020-23851
PUBLISHED: 2021-05-18
A stack-based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c:513:28, which could cause a denial of service by submitting a malicious jpeg image.
CVE-2020-23852
PUBLISHED: 2021-05-18
A heap based buffer overflow vulnerability exists in ffjpeg through 2020-07-02 in the jfif_decode(void *ctxt, BMP *pb) function at ffjpeg/src/jfif.c (line 544 & line 545), which could cause a denial of service by submitting a malicious jpeg image.
CVE-2020-23856
PUBLISHED: 2021-05-18
Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line) function at src/parser.c, which could cause a denial of service via the pointer variable caller->callee.
CVE-2020-24026
PUBLISHED: 2021-05-18
TinyShop, a free and open source mall based on RageFrame2, has a stored XSS vulnerability that affects version 1.2.0. TinyShop allows XSS via the explain_first and again_explain parameters of the /evaluate/index.php page. The vulnerability may be exploited remotely, resulting in cross-site scripting...