Cisco has uncovered and patched a critical vulnerability in its popular Webex platform. The vulnerability specifically affects the macOS version of the application used by many large organizations in both the public and private sector for remote conferencing and meetings.
According to Cisco’s security alert, the Mac desktop version of Webex is open to a remote injection attack from an unauthenticated, remote attacker due to a bug classified as CVE-2020-3342. CVE-2020-3342 is rated as an 8.8 on the Common Vulnerability Scoring System, which gives it a “high” threat distinction.
The advisory, quoted in an excerpt below, speaks in more detail about the exact nature of CVE-2020-3342:
The vulnerability is due to improper validation of cryptographic protections on files that are downloaded by the application as part of a software update. An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user.
There are no workarounds for this Webex vulnerability, and as such, Cisco recommends implementing their released patch as soon as possible. The vulnerability affects Cisco Webex Meetings Desktop App for Mac in every version predating Release 39.5.11.
As of this time, no known attacks have occurred as a result of CVE-2020-3342. This is liable to change, especially in light of the security advisory released by Cisco, which gives hackers full knowledge regarding the exploit. With so many people working from home, video conferencing software has become hot, making it an attractive target for cybercriminals. Security advisories are always a double-edged sword in this regard, but companies have a responsibility to inform their consumers of such threats.
Featured image: Cisco