No need to panic: This is what's behind Cisco's Webex loophole
There is a lot of excitement about openly accessible Webex meetings - but the iX interview with Cisco makes it clear how easily users can minimize the risk.
(Image: iX)
- Benjamin Pfister
At the beginning of May 2024, Cisco detected anomalies in the public cloud version of WebEx Meetings at the data center location in Frankfurt. Cisco informed the affected customers immediately. At the same time, existing disclosure processes were initiated to close security gaps, the provider explained.
According to the Security Advisory, further analysis revealed a leak of meeting information and metadata from Webex Meetings. In an interview with iX at the in-house trade fair Live, Cisco clarified that the incident affected all customers of the public cloud SaaS variant. However, the company does not provide any information on the number of customers affected. However, the anomalies were only visible at the Frankfurt site.
According to the descriptions in the security advisory, the manufacturer assumes that the gaps were exploited as part of targeted security research activities. The vulnerability was then closed on May 28, 2024 according to the security advisory. Since then, Cisco says it has not recorded any more attempts to access the affected data.
However, behavior will continue to be monitored closely, particularly on the basis of the patterns detected, and Cisco promises to deliver further patches if necessary. Customers of Webex Meetings should follow the regular support channels for further communication on this incident. According to Cisco, conversation content from meetings was not affected.
Joining without a password?
Cisco also commented on the descriptions of possible meeting access without a password in the iX interview and initially differentiated between the types of meetings: those in so-called personal rooms of the respective users and scheduled meetings. In the former, people first have to wait in a kind of lobby for access and the owner of the personal room has to grant access. In the case of scheduled meetings, the standard configuration is even designed in such a way that it does not allow access without a password. However, customers can - contrary to the manufacturer's recommendations - change this default setting and consequently reduce security. Cisco has also referenced the recommended security measures for administrators and Webex users in the associated Security Advisory.
With regard to the basic processes for dealing with security aspects, the manufacturer stated that every developer is trained in these and that automated tests for detecting security vulnerabilities already take place during the development and design process. In addition, corresponding red teaming tests are carried out and Cisco emphasized that it is very happy to cooperate with security researchers on a frequent basis.
Cisco's most important message is therefore that the existing security gap in the metadata has been closed. However, the insecure configuration options remain. Customers should therefore urgently check their settings at both administrative and user level in the Webex Control Hub and compare them with the manufacturer's security recommendations.
(vbr)
