Operating System:

[Cisco]

Published:

24 November 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.4095.3
   Cisco Webex Meetings and Cisco Webex Meetings Server vulnerabilities
                             24 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Webex Meetings and Cisco Webex Meetings Server
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3471 CVE-2020-3441 CVE-2020-3419

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-info-leak-PhpzB3sG

Revision History:  November 24 2020: Vendor issued minor updates for each advisory
                   November 19 2020: Updated CVE list from all enclosed reports
                   November 19 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-webex-auth-token-3vg57A5r
First Published: 2020 November 18 16:00 GMT
Last Updated:    2020 November 20 14:34 GMT
Version 1.2:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvu42629 CSCvu42755
CVE Names:       CVE-2020-3419
CWEs:            CWE-913

Summary

  o A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server
    could allow an unauthenticated, remote attacker to join a Webex session
    without appearing on the participant list.

    This vulnerability is due to improper handling of authentication tokens by
    a vulnerable Webex site. An attacker could exploit this vulnerability by
    sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco
    Webex Meetings Server site. A successful exploit requires the attacker to
    have access to join a Webex meeting, including applicable meeting join
    links and passwords. The attacker could then exploit this vulnerability to
    join meetings, without appearing in the participant list, while having full
    access to audio, video, chat, and screen sharing capabilities.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-webex-auth-token-3vg57A5r

Affected Products

  o Vulnerable Products

    This vulnerability affected all Cisco Webex Meetings sites prior to
    November 17, 2020. Webex Meetings is cloud based.

    At the time of publication, this vulnerability also affected all Cisco
    Webex Meetings apps releases 40.10.9 and earlier for iOS and Android.

    At the time of publication, this vulnerability also affected the following
    releases of Cisco Webex Meetings Server, which is on premises:

       3.0MR3 Security Patch 4 and earlier
       4.0MR3 Security Patch 3 and earlier

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cloud-Based Services

    Cisco addressed this vulnerability on November 17, 2020, in Cisco Webex
    Meetings sites, which are cloud based. No user action is required.

    Customers who need additional information are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    On-Premises Software

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    TAC or their contracted maintenance providers.

    Fixed Releases

    At the time of publication, Cisco Webex Meetings mobile app releases 40.11
    and later contained the fix for this vulnerability. Users who do not have
    their mobile apps set to update automatically are advised to update their
    apps to a fixed release.

    At the time of publication, the following Cisco Webex Meetings Server
    releases contained the fix for this vulnerability:

       3.0MR3 Security Patch 5
       4.0MR3 Security Patch 4

    Customers are advised to apply updated software releases.

    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware of
    public announcements about this vulnerability. Cisco PSIRT is not aware of
    malicious use of the vulnerability that is described in this advisory.

Source

  o Cisco would like to thank the following researchers from IBM Research for
    reporting this vulnerability:

       Jiyong Jang, Research Scientist and Manager
       Dhilung Kirat, Research Scientist
       Ian Molloy, Principal RSM and Department Head
       J.R. Rao, IBM Fellow and CTO

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-webex-auth-token-3vg57A5r

Revision History

  o +---------+------------------------+---------------+--------+-------------+
    | Version |      Description       |    Section    | Status |    Date     |
    +---------+------------------------+---------------+--------+-------------+
    | 1.2     | Updated affected       | Vulnerable    | Final  | 2020-NOV-20 |
    |         | software release.      | Products      |        |             |
    +---------+------------------------+---------------+--------+-------------+
    | 1.1     | Corrected a            | Source        | Final  | 2020-NOV-19 |
    |         | researcher's name.     |               |        |             |
    +---------+------------------------+---------------+--------+-------------+
    | 1.0     | Initial public         | -             | Final  | 2020-NOV-18 |
    |         | release.               |               |        |             |
    +---------+------------------------+---------------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure
Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-webex-infodisc-4tvQzn4
First Published: 2020 November 18 16:00 GMT
Last Updated:    2020 November 23 21:59 GMT
Version 1.2:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvu44356 CSCvu48356
CVE Names:       CVE-2020-3441
CWEs:            CWE-20

Summary

  o A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server
    could allow an unauthenticated, remote attacker to view sensitive
    information from the meeting room lobby.

    This vulnerability is due to insufficient protection of sensitive
    participant information. An attacker could exploit this vulnerability by
    browsing the Webex roster. A successful exploit could allow the attacker to
    gather information about other Webex participants, such as email address
    and IP address, while waiting in the lobby.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-webex-infodisc-4tvQzn4

Affected Products

  o Vulnerable Products

    This vulnerability affected all Cisco Webex Meetings sites releases 40.11.3
    and earlier, and Cisco Webex Meetings sites on Slow Channel releases
    40.6.11 and earlier. Webex Meetings is cloud based.

    At the time of publication, this vulnerability also affected the following
    releases of Cisco Webex Meetings Server, which is on premises. See the
    Details section in the bug ID(s) at the top of this advisory for the most
    complete and current information.

       3.0MR3 Security Patch 4 and earlier
       4.0MR3 Security Patch 3 and earlier

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the following Cisco Webex Meetings Server
    releases, which are cloud based, contained the fix for this vulnerability:

       Webex Meetings Desktop App release 40.11.4
       Webex Meetings Desktop App, Slow Channel release 40.6.12. This release
        is expected to be available on November 24, 2020.
       Webex Meetings app for iOS and Android release 40.11

    At the time of publication, the following releases for Cisco Webex Meetings
    Server, which is on-premises software, contained the fix for this
    vulnerability. Customers are advised to apply updated software releases.
    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

       3.0MR3 Security Patch 5
       4.0MR3 Security Patch 4

    Customers who need additional information are advised to contact the Cisco
    TAC or their contracted maintenance providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware of
    public announcements about this vulnerability. Cisco PSIRT is not aware of
    malicious use of the vulnerability that is described in this advisory.

Source

  o Cisco would like to thank the following researchers from IBM Research for
    reporting this vulnerability:

       Jiyong Jang, Research Scientist and Manager
       Dhilung Kirat, Research Scientist
       Ian Molloy, Principal RSM and Department Head
       J.R. Rao, IBM Fellow and CTO

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-webex-infodisc-4tvQzn4

Revision History

  o +---------+---------------------------+------------+--------+-------------+
    | Version |        Description        |  Section   | Status |    Date     |
    +---------+---------------------------+------------+--------+-------------+
    |         | Included Slow Channel     |            |        |             |
    |         | releases in Vulnerable    | Vulnerable |        |             |
    |         | Products and Fixed        | Products   |        |             |
    | 1.2     | Software. Updated         | and Fixed  | Final  | 2020-NOV-23 |
    |         | formatting in Vulnerable  | Software   |        |             |
    |         | Products and Fixed        |            |        |             |
    |         | Software.                 |            |        |             |
    +---------+---------------------------+------------+--------+-------------+
    | 1.1     | Corrected a researcher's  | Source     | Final  | 2020-NOV-19 |
    |         | name.                     |            |        |             |
    +---------+---------------------------+------------+--------+-------------+
    | 1.0     | Initial public release.   | -          | Final  | 2020-NOV-18 |
    +---------+---------------------------+------------+--------+-------------+

- --------------------------------------------------------------------------------

Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio
Information Exposure Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-webex-info-leak-PhpzB3sG
First Published: 2020 November 18 16:00 GMT
Last Updated:    2020 November 23 21:59 GMT
Version 1.2:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvu84564 CSCvu98531
CVE Names:       CVE-2020-3471
CWEs:            CWE-20

Summary

  o A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server
    could allow an unauthenticated, remote attacker to maintain bidirectional
    audio despite being expelled from an active Webex session.

    The vulnerability is due to a synchronization issue between meeting and
    media services on a vulnerable Webex site. An attacker could exploit this
    vulnerability by sending crafted requests to a vulnerable Cisco Webex
    Meetings or Cisco Webex Meetings Server site. A successful exploit could
    allow the attacker to maintain the audio connection of a Webex session
    despite being expelled.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-webex-info-leak-PhpzB3sG

Affected Products

  o Vulnerable Products

    This vulnerability affected all Cisco Webex Meetings sites prior to the
    Cisco fix. Webex Meetings is cloud based.

    At the time of publication, this vulnerability also affected the following
    releases of Cisco Webex Meetings Server, which is on premises. See the
    Details section in the bug ID(s) at the top of this advisory for the most
    complete and current information.

       3.0MR3 Security Patch 4 and earlier
       4.0MR3 Security Patch 3 and earlier

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Details

  o A successful exploit could allow the attacker to maintain bidirectional
    audio despite disconnecting from the session or being expelled by the
    session host.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    Cisco has addressed this vulnerability in Cisco Webex Meetings sites, which
    are cloud based. No user action is required.

    At the time of publication, the following releases for Cisco Webex Meetings
    Server, which is on-premises software, contain the fix for this
    vulnerability. Customers are advised to apply updated software releases.
    See the Details section in the bug ID(s) at the top of this advisory for
    the most complete and current information.

       3.0MR3 Security Patch 5
       4.0MR3 Security Patch 4

    Customers who need additional information are advised to contact the Cisco
    TAC or their contracted maintenance providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware of
    public announcements about this vulnerability. Cisco PSIRT is not aware of
    malicious use of the vulnerability that is described in this advisory.

Source

  o Cisco would like to thank the following researchers from IBM Research for
    reporting this vulnerability:

       Jiyong Jang, Research Scientist and Manager
       Dhilung Kirat, Research Scientist
       Ian Molloy, Principal RSM and Department Head
       J.R. Rao, IBM Fellow and CTO

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-webex-info-leak-PhpzB3sG

Revision History

  o +---------+-----------------------+----------------+--------+-------------+
    | Version |      Description      |    Section     | Status |    Date     |
    +---------+-----------------------+----------------+--------+-------------+
    |         | Updated formatting in | Vulnerable     |        |             |
    | 1.2     | Vulnerable Products   | Products and   | Final  | 2020-NOV-23 |
    |         | and Fixed Software.   | Fixed Software |        |             |
    +---------+-----------------------+----------------+--------+-------------+
    | 1.1     | Corrected a           | Source         | Final  | 2020-NOV-19 |
    |         | researcher's name.    |                |        |             |
    +---------+-----------------------+----------------+--------+-------------+
    | 1.0     | Initial public        | -              | Final  | 2020-NOV-18 |
    |         | release.              |                |        |             |
    +---------+-----------------------+----------------+--------+-------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX7yVfuNLKJtyKPYoAQharg/9Gy5QzxnkAKyVFdsIqf8V/zdonkG+QITc
vr0Ge6k7Yx6lJJ7q1fHu/yAV+4B8SRz6JinPsJsKk/sgo1sTYyuExnYw0ltVzoVh
h5W3oE6OE8qlKiDSTq3Pa7FdE9WcOH7dDx2dGY/KkV2igCAbchf2oA+mdE/6l5Zq
krZWAapylpMb83bZHwqG8If17Hw9R+oLbkfokJ5w7fcgWcLv+k3Vr1GaPCchFIjt
lBK39z5UREXnqD9bl6N558RPCIKU2t4IFct82wQ/Udfu111i1zcynQbjLmwv6ZZv
BD595mMUz6J8GyWsB/iSbpomp0wMsHqjmfyrjmxm+K75sYobqlClXA20tTPuazL1
iYPLpxDXbSOE6dwDsdUZOwovO7j//h/vfdOUYVB0hoJKWjPvl9L+z40qe4otPzOX
s+1lA+jfdQOt/uJW/r3h7NmulVi189BNzuHFvsVUl/K5nU/4mRYrQ0Mlyy5rDpx6
Vt8J0GajGa0gcUYdEfc5jYONbAcOLmyb/oZeK1LCV01Ic4wQ7Xm3NdlnW71u3aQg
egwCQTfQ6LnlXU2+pTgChG0ahNjfP9laWbgWFnSipcGqRem42md+Q5pEGSSoSkls
4nqcHy8Q871JSOEHnFTT0GdTZo89xDc8c1fNWWSNfLkb+OZ4bj7JUF5mT5EPdOJG
RNhtwMoT4RY=
=MHZJ
-----END PGP SIGNATURE-----