Vulnerability in Cisco Webex cloud service exposed government authorities, companies
The vulnerability that allowed a German journalist to discover links to video conference meetings held by Bundeswehr (the German armed forces) and the Social Democratic Party of Germany (SPD) via their self-hosted Cisco Webex instances similarly affected the Webex cloud service.
The Cisco Webex Meetings cloud vulnerability
The vulnerability affected all organizations “that have a domain such as organisationsname.webex.com,” according to Netzbegrünung, an association that organizes the digital infrastructure for Bündnis 90/Die Grünen (a German green political party).
Discovered by Netzbegrünung and verified by Eva Wolfangel with ZEIT Online, the bug allowed the discovery of information about past and future Webex meetings involving:
- The country’s Federal Office for Information Security (BSI), the Bundestag (i.e., the parliament), various ministries, the Federal Chancellery, and other federal and state offices
- Authorities and companies – big and small – in Germany, the Netherlands, Italy, Austria, France, Switzerland, Ireland and Denmark
Unlike the Bundeswehr and the SPD, these organizations use Webex in the cloud, Wolfangel said.
“The cause of the vulnerability is again [the fact that] Cisco does not use random numbers to assign numbers used for meetings,” Netzbegrünung explained.
“This time it affects a different number than the on-premise system of the Bundeswehr, but the counting method is similar. In combination with an incorrectly configured view for mobile devices, it was then possible to retrieve a huge amount of metadata with a simple web browser – and this for months, probably years.”
Tricks to gain access to Webex meetings
Meeting information may be of interest to spies and criminals, Wolfangel noted, as they might profit from knowing who is discussing which things with whom, when, and how long the discussion lasted.
But it is unknown whether the vulnerability has been previously exploited by malicious individuals or groups.
As Wolfangel established, it was also possible to dial in on some of the discovered meetings, even if passwords were required to (video) participate via browser or Webex app. Apparently, those who (audio) join via phone and don’t know their “participant number” can simply press the hash key and be allowed in.
She successfully used this trick to join a video meeting of the Federal Office for Migration and Refugees (BAMF) and Barmer Krankenkasse (a health insurance firm), though the other participants noticed that an unknown number has joined the conversation.
When she previously joined a Webex meeting of the SPD where all the other participants were connected by phone, she said she went “partly unnoticed”.
Cisco implements fixes
“In early May 2024, Cisco identified bugs in Cisco Webex Meetings that we now believe were leveraged in targeted security research activity allowing unauthorized access to meeting information and metadata in Cisco Webex deployments for certain customers hosted in our Frankfurt data center. These bugs have been addressed and a fix has been fully implemented worldwide as of May 28, 2024,” Cisco confirmed on Tuesday.
“Cisco has notified those customers who had observable attempts to access meeting information and metadata based on available logs. Since the bugs were patched, Cisco has not observed any further attempts to obtain meeting data or metadata leveraging the bugs.”
Netzbegrünung board member Max Pfeuffer confirmed for Help Net Security that the method they used to find the meetings no longer works.
UPDATE (June 7, 2024, 07:25 a.m. ET):
“The German ethical hackers were able to collect information from more than ten thousand Dutch government meetings, more than in the other countries where they investigated government use of Webex,” Dutch newspaper de Volkskrant noted on Thursday.
The Dutch government is now investigating the extent to which information about its own video calls could have been found due to this vulnerability.
UPDATE (June 10, 2024, 09:15 a.m. ET):
The Federal Office for Information Security (BSI) has published an advisory confirming that the meeting metadata that could be accessed included: meeting UUID (universally unique identifier), meeting number and title, the name of the host, the data and time of the planned meeting and its planned duration.
“According to current knowledge, the following metadata was NOT accessible: meeting password, and information about meeting participants,” they said.
Recently scheduled meetings are no longer at risk, but metadata of meetings that were scheduled before Cisco fixed the problem (on May 28, 2024) might still be accessed, so the BSI advises deleting and re-scheduling them.
“The BSI currently has no evidence that the security vulnerability was exploited by other potential attackers besides the security researchers. If the BSI’s recommendations were followed, the security vulnerability ‘only’ led to the leak of metadata. However, because some meetings were scheduled without a password, the security researchers were able to dial in here too,” they added.