SB2020111906 - Multiple vulnerabilities in Cisco Webex Meetings and Cisco Webex Meetings Server

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2020-3441)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insufficient protection of sensitive participant information. A remote attacker can browse the Webex roster to gather information about other Webex participants, such as email address and IP address, while waiting in the lobby.

2) Information disclosure (CVE-ID: CVE-2020-3471)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a synchronization issue between meeting and media services on a vulnerable Webex site. A remote attacker can send specially crafted requests to maintain the audio connection of a Webex session despite being expelled.

3) Improper Control of Dynamically-Managed Code Resources (CVE-ID: CVE-2020-3419)

The vulnerability allows a remote attacker to join a Webex session without appearing on the participant list.

The vulnerability exists due to improper handling of authentication tokens by a vulnerable Webex site. A remote attacker can send specially crafted requests and join meetings, without appearing in the participant list, while having full access to audio, video, chat, and screen sharing capabilities.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-info-leak-PhpzB3sG
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r