Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4095.3 Cisco Webex Meetings and Cisco Webex Meetings Server vulnerabilities 24 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Webex Meetings and Cisco Webex Meetings Server Publisher: Cisco Systems Operating System: Cisco Impact/Access: Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-3471 CVE-2020-3441 CVE-2020-3419 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-info-leak-PhpzB3sG Revision History: November 24 2020: Vendor issued minor updates for each advisory November 19 2020: Updated CVE list from all enclosed reports November 19 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability Priority: Medium Advisory ID: cisco-sa-webex-auth-token-3vg57A5r First Published: 2020 November 18 16:00 GMT Last Updated: 2020 November 20 14:34 GMT Version 1.2: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvu42629 CSCvu42755 CVE Names: CVE-2020-3419 CWEs: CWE-913 Summary o A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list. This vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. A successful exploit requires the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords. The attacker could then exploit this vulnerability to join meetings, without appearing in the participant list, while having full access to audio, video, chat, and screen sharing capabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-auth-token-3vg57A5r Affected Products o Vulnerable Products This vulnerability affected all Cisco Webex Meetings sites prior to November 17, 2020. Webex Meetings is cloud based. At the time of publication, this vulnerability also affected all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android. At the time of publication, this vulnerability also affected the following releases of Cisco Webex Meetings Server, which is on premises: 3.0MR3 Security Patch 4 and earlier 4.0MR3 Security Patch 3 and earlier See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cloud-Based Services Cisco addressed this vulnerability on November 17, 2020, in Cisco Webex Meetings sites, which are cloud based. No user action is required. Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. On-Premises Software When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco TAC or their contracted maintenance providers. Fixed Releases At the time of publication, Cisco Webex Meetings mobile app releases 40.11 and later contained the fix for this vulnerability. Users who do not have their mobile apps set to update automatically are advised to update their apps to a fixed release. At the time of publication, the following Cisco Webex Meetings Server releases contained the fix for this vulnerability: 3.0MR3 Security Patch 5 4.0MR3 Security Patch 4 Customers are advised to apply updated software releases. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements about this vulnerability. Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank the following researchers from IBM Research for reporting this vulnerability: Jiyong Jang, Research Scientist and Manager Dhilung Kirat, Research Scientist Ian Molloy, Principal RSM and Department Head J.R. Rao, IBM Fellow and CTO Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-auth-token-3vg57A5r Revision History o +---------+------------------------+---------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+------------------------+---------------+--------+-------------+ | 1.2 | Updated affected | Vulnerable | Final | 2020-NOV-20 | | | software release. | Products | | | +---------+------------------------+---------------+--------+-------------+ | 1.1 | Corrected a | Source | Final | 2020-NOV-19 | | | researcher's name. | | | | +---------+------------------------+---------------+--------+-------------+ | 1.0 | Initial public | - | Final | 2020-NOV-18 | | | release. | | | | +---------+------------------------+---------------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability Priority: Medium Advisory ID: cisco-sa-webex-infodisc-4tvQzn4 First Published: 2020 November 18 16:00 GMT Last Updated: 2020 November 23 21:59 GMT Version 1.2: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvu44356 CSCvu48356 CVE Names: CVE-2020-3441 CWEs: CWE-20 Summary o A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to view sensitive information from the meeting room lobby. This vulnerability is due to insufficient protection of sensitive participant information. An attacker could exploit this vulnerability by browsing the Webex roster. A successful exploit could allow the attacker to gather information about other Webex participants, such as email address and IP address, while waiting in the lobby. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-infodisc-4tvQzn4 Affected Products o Vulnerable Products This vulnerability affected all Cisco Webex Meetings sites releases 40.11.3 and earlier, and Cisco Webex Meetings sites on Slow Channel releases 40.6.11 and earlier. Webex Meetings is cloud based. At the time of publication, this vulnerability also affected the following releases of Cisco Webex Meetings Server, which is on premises. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. 3.0MR3 Security Patch 4 and earlier 4.0MR3 Security Patch 3 and earlier Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the following Cisco Webex Meetings Server releases, which are cloud based, contained the fix for this vulnerability: Webex Meetings Desktop App release 40.11.4 Webex Meetings Desktop App, Slow Channel release 40.6.12. This release is expected to be available on November 24, 2020. Webex Meetings app for iOS and Android release 40.11 At the time of publication, the following releases for Cisco Webex Meetings Server, which is on-premises software, contained the fix for this vulnerability. Customers are advised to apply updated software releases. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. 3.0MR3 Security Patch 5 4.0MR3 Security Patch 4 Customers who need additional information are advised to contact the Cisco TAC or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements about this vulnerability. Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank the following researchers from IBM Research for reporting this vulnerability: Jiyong Jang, Research Scientist and Manager Dhilung Kirat, Research Scientist Ian Molloy, Principal RSM and Department Head J.R. Rao, IBM Fellow and CTO Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-infodisc-4tvQzn4 Revision History o +---------+---------------------------+------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+---------------------------+------------+--------+-------------+ | | Included Slow Channel | | | | | | releases in Vulnerable | Vulnerable | | | | | Products and Fixed | Products | | | | 1.2 | Software. Updated | and Fixed | Final | 2020-NOV-23 | | | formatting in Vulnerable | Software | | | | | Products and Fixed | | | | | | Software. | | | | +---------+---------------------------+------------+--------+-------------+ | 1.1 | Corrected a researcher's | Source | Final | 2020-NOV-19 | | | name. | | | | +---------+---------------------------+------------+--------+-------------+ | 1.0 | Initial public release. | - | Final | 2020-NOV-18 | +---------+---------------------------+------------+--------+-------------+ - -------------------------------------------------------------------------------- Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability Priority: Medium Advisory ID: cisco-sa-webex-info-leak-PhpzB3sG First Published: 2020 November 18 16:00 GMT Last Updated: 2020 November 23 21:59 GMT Version 1.2: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvu84564 CSCvu98531 CVE Names: CVE-2020-3471 CWEs: CWE-20 Summary o A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to maintain bidirectional audio despite being expelled from an active Webex session. The vulnerability is due to a synchronization issue between meeting and media services on a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. A successful exploit could allow the attacker to maintain the audio connection of a Webex session despite being expelled. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-info-leak-PhpzB3sG Affected Products o Vulnerable Products This vulnerability affected all Cisco Webex Meetings sites prior to the Cisco fix. Webex Meetings is cloud based. At the time of publication, this vulnerability also affected the following releases of Cisco Webex Meetings Server, which is on premises. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. 3.0MR3 Security Patch 4 and earlier 4.0MR3 Security Patch 3 and earlier Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Details o A successful exploit could allow the attacker to maintain bidirectional audio despite disconnecting from the session or being expelled by the session host. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases Cisco has addressed this vulnerability in Cisco Webex Meetings sites, which are cloud based. No user action is required. At the time of publication, the following releases for Cisco Webex Meetings Server, which is on-premises software, contain the fix for this vulnerability. Customers are advised to apply updated software releases. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. 3.0MR3 Security Patch 5 4.0MR3 Security Patch 4 Customers who need additional information are advised to contact the Cisco TAC or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements about this vulnerability. Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank the following researchers from IBM Research for reporting this vulnerability: Jiyong Jang, Research Scientist and Manager Dhilung Kirat, Research Scientist Ian Molloy, Principal RSM and Department Head J.R. Rao, IBM Fellow and CTO Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-webex-info-leak-PhpzB3sG Revision History o +---------+-----------------------+----------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+-----------------------+----------------+--------+-------------+ | | Updated formatting in | Vulnerable | | | | 1.2 | Vulnerable Products | Products and | Final | 2020-NOV-23 | | | and Fixed Software. | Fixed Software | | | +---------+-----------------------+----------------+--------+-------------+ | 1.1 | Corrected a | Source | Final | 2020-NOV-19 | | | researcher's name. | | | | +---------+-----------------------+----------------+--------+-------------+ | 1.0 | Initial public | - | Final | 2020-NOV-18 | | | release. | | | | +---------+-----------------------+----------------+--------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7yVfuNLKJtyKPYoAQharg/9Gy5QzxnkAKyVFdsIqf8V/zdonkG+QITc vr0Ge6k7Yx6lJJ7q1fHu/yAV+4B8SRz6JinPsJsKk/sgo1sTYyuExnYw0ltVzoVh h5W3oE6OE8qlKiDSTq3Pa7FdE9WcOH7dDx2dGY/KkV2igCAbchf2oA+mdE/6l5Zq krZWAapylpMb83bZHwqG8If17Hw9R+oLbkfokJ5w7fcgWcLv+k3Vr1GaPCchFIjt lBK39z5UREXnqD9bl6N558RPCIKU2t4IFct82wQ/Udfu111i1zcynQbjLmwv6ZZv BD595mMUz6J8GyWsB/iSbpomp0wMsHqjmfyrjmxm+K75sYobqlClXA20tTPuazL1 iYPLpxDXbSOE6dwDsdUZOwovO7j//h/vfdOUYVB0hoJKWjPvl9L+z40qe4otPzOX s+1lA+jfdQOt/uJW/r3h7NmulVi189BNzuHFvsVUl/K5nU/4mRYrQ0Mlyy5rDpx6 Vt8J0GajGa0gcUYdEfc5jYONbAcOLmyb/oZeK1LCV01Ic4wQ7Xm3NdlnW71u3aQg egwCQTfQ6LnlXU2+pTgChG0ahNjfP9laWbgWFnSipcGqRem42md+Q5pEGSSoSkls 4nqcHy8Q871JSOEHnFTT0GdTZo89xDc8c1fNWWSNfLkb+OZ4bj7JUF5mT5EPdOJG RNhtwMoT4RY= =MHZJ -----END PGP SIGNATURE-----