Improper access control in Cisco Webex Meetings Suite and Cisco Webex Meetings Online



Published: 2020-01-27
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-3142
CWE-ID CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Cisco Webex Meetings Suite
Client/Desktop applications / Other client software

Cisco Webex Meetings Online
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improper access control

EUVDB-ID: #VU24661

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3142

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to unintended meeting information exposure in a specific meeting join flow for mobile applications. A remote attacker can join the password-protected meeting without providing the meeting password.

This vulnerability can be exploited by accessing a known meeting ID or meeting URL from the mobile device’s web browser. The browser will then request to launch the device’s Webex mobile application. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco Webex Meetings Suite: before 40.1.3

Cisco Webex Meetings Online: before 40.1.3

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###