Cisco has uncovered and patched a critical vulnerability in its popular Webex platform. The vulnerability specifically affects the macOS version of the application used by many large organizations in both the public and private sector for remote conferencing and meetings.
According to Cisco’s security alert, the Mac desktop version of Webex is open to a remote injection attack from an unauthenticated, remote attacker due to a bug classified as CVE-2020-3342. CVE-2020-3342 is rated as an 8.8 on the Common Vulnerability Scoring System, which gives it a “high” threat distinction.
The advisory, quoted in an excerpt below, speaks in more detail about the exact nature of CVE-2020-3342:
The vulnerability is due to improper validation of cryptographic protections on files that are downloaded by the application as part of a software update. An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the user.
There are no workarounds for this Webex vulnerability, and as such, Cisco recommends implementing their released patch as soon as possible. The vulnerability affects Cisco Webex Meetings Desktop App for Mac in every version predating Release 39.5.11.
As of this time, no known attacks have occurred as a result of CVE-2020-3342. This is liable to change, especially in light of the security advisory released by Cisco, which gives hackers full knowledge regarding the exploit. With so many people working from home, video conferencing software has become hot, making it an attractive target for cybercriminals. Security advisories are always a double-edged sword in this regard, but companies have a responsibility to inform their consumers of such threats.
Featured image: Cisco
2 thoughts on “Cisco Webex macOS critical vulnerability discovered and patched”
This is not the first time vulnerabilities were found and patched in Cisco’s WebEx online video collaboration software.
Admins can update the two apps for their entire user bases by following the detailed instructions available in the IT Administrator Guide for Mass Deployment of the Cisco Webex Meetings Desktop App .