New Cisco Webex vulnerability exposes authentication tokens

Trustwave SpiderLabs discovered a Cisco Webex memory vulnerability that could allow an attacker to gain access to sensitive information such authentication tokens.

The vulnerability, assigned as CVE-2020-3347 in the disclosure, was uncovered by Martin Rakhmanov, security research manager at Trustwave SpiderLabs. It affects all versions of Cisco Webex through 40.6. Rakhmanov released an advisory Thursday on the vulnerability and mitigation.

Cisco worked on an escalated schedule to get the patch out because they knew the severity of the flaw, Trustwave senior threat intelligence manager Karl Sigler said.

Inspired by a surge in video conferencing, Trustwave SpiderLabs researchers decided to examine Webex, one of the most popular video and messaging tools on the market, according to Sigler.

"The main issue with this vulnerability is that there's a function in how Cisco Webex works where very confidential, very sensitive information is stored in memory to an unprotected state, so any general user, guest user, standard user account would have access to be able to dump that sensitive information," Sigler said. "That would allow them to listen in on Webex meetings, past Webex meetings and basically impersonate the person whose data they stole out of memory."

Cisco Webex is a popular product, especially among enterprise organizations, Sigler said. However, to take advantage of this vulnerability, the victim's system would have to have an active Webex account, specifically for Windows; the vulnerability doesn't affect Webex for MacOS, iOS and Android.

The victim in this situation would have to have an active Webex account and an active Webex software for an attack to be successful.

"The attacker would need to have access to that system in some form or fashion, such as logging in through a remote session and already have a presence on the system," Sigler said. "It could also be that they are pushing malware out as sort of their proxy so an attacker would very easily develop malware that is specialized for this purpose. And if they can trick the victim into installing the malware, the malware could just sit on the system indefinitely just monitoring memory with those Webex tokens and just sending them back to the attacker just exfiltrating that data to the attacker."

From there, malicious users could access new meetings and recordings and obtain confidential information.

Trustwave disclosed the vulnerability to Cisco on April 23; a patch was released Wednesday, and Trustwave and Cisco recommend updating Webex clients to version 40.6.0. Trustwave said there are no indications the Webex vulnerability has been exploited in the wild.

No matter which video conferencing program organizations use, Sigler said there are steps to take to increase security such as creating passwords for individual meetings.

"I think that organizations that do their own due diligence to look at previous vulnerabilities, figure out how infrastructure works, how their employees are laid out -- whether they are scattered remotely or located in a single place -- all of those things go into decision-making for which conferencing software to use, as long as organizations have a process to quickly deploy patches and make sure users are up to date on the most current version and to make sure their users are aware of social engineering attacks that are current right now," Sigler said.