Kateryna - stock.adobe.com

Cisco releases patches for 3 Webex vulnerabilities

Cisco has patched three vulnerabilities that allowed malicious actors to enter meetings and waiting rooms as 'ghosts' and stay on -- even after being removed.

Updated on Nov. 19, 2020:

Cisco has released patches for three Webex vulnerabilities that let hackers collect confidential information from meetings held on the video conferencing service.

The flaws, discovered by IBM Research in April, allow hackers to join meetings either undetected or as visible participants. With the latter, they would remain hidden in the forum, even after being expelled. The vulnerabilities would also let hackers steal personal information while in a waiting room before entering the meeting. 

The vulnerabilities would allow a malicious actor to join meetings as a "ghost" with full access to audio, video and screen sharing. The hacker could talk, chat and "violate the integrity of the meeting," said Ian Molloy, a researcher at IBM Research.

"Kind of like Zoombombing, but you're completely invisible," he said this week.

A hacker could also collect information on Webex meeting participants, such as full names, emails and IP addresses. 

Alternatively, a hacker could hang around in a meeting and listen in. If a boardroom discusses confidential information, such as a merger or an acquisition plan, the hacker would be privy to that information.

In April, IBM Research found that hackers can exploit the vulnerabilities by manipulating the Webex process for connecting participants. This connecting "handshake" requires a client to send information such as an attendee name, email address, application name, application version, operating system and meeting ID. The server then replies with information such as a meeting name, room topic, hosts, access controls and dial-in information.

Hackers can manipulate the client side of this interaction to join a meeting as a ghost. The only giveaway that an intruder has entered a forum is an extra beep that signifies the connection. According to IBM Research, hosts often overlook the beep.

The latest Webex vulnerabilities are not the first this year. In June, Cisco patched a vulnerability that allowed a hacker to access sensitive information about meeting participants. 

The most recent flaws exist in the macOS, iOS and Windows versions of Webex. Cisco released the last of the patches this week.

Cisco classified the vulnerabilities as "medium severity" and said in a statement that it was unaware of any successful attacks.

"The issues are resolved in the Cisco Webex Cloud, and fixed software is available for those customers with custom deployments," the company said. "The security advisories and fixes are published as part of our long-standing security vulnerability disclosure process."

Dig Deeper on Team collaboration software