WebEx: BSI does not recommend Cisco's conferencing product
After the discovery of more security vulnerabilities in Cisco's WebEx, the BSI assures that it has never explicitly recommended the video conferencing system.
(Image: thetahoeguy/Shutterstock.com)
In a letter to Tabea Rößner (Greens), Chair of the Bundestag's Digital Committee, BSI Vice President Gerhard Schabhüser explains that the BSI has not issued a recommendation for WebEx. There are so-called C5 test certificates, Schabhüser explains in the letter. However, this procedure would take place without the involvement of the Bonn IT security authority: "Compliance with the criteria can be certified by auditors, for example, and thus proven to customers. In this case, these auditors are commissioned directly by the cloud provider," says the letter, which is available to heise online. From 2019, Cisco had advertised that WebEx met the criteria of the "Cloud Computing Compliance Controls Catalogue" (C5). An assessment by the BSI itself is also not planned in this process.
No BSI recommendation for WebEx
There is also no BSI recommendation for the use of WebEx, Schabhüser clarifies. For the discussion of classified content, i.e., from the official classification "for official use only", WebEx is only suitable if it is used in a fully secured environment in accordance with the classified information directive. In an initial reaction to the new reports last week, the Federal Ministry of the Interior stated that the BSI was currently reviewing its recommendations.
According to today's letter, the federal IT security authority in Bonn had immediately informed all those known to it to be affected and was in contact with the WebEx provider Cisco. "The known IT security vulnerabilities were closed by Cisco after they became known," Vice President Schabhüser wrote to the Digital Committee. "If necessary, the BSI reserves the right to use the legal means at its disposal to demand all necessary information on an IT product from its manufacturer."
BSI publishes security warning
Yesterday, Monday, several days after the security problems were published by Zeit Online, the BSI published its security warning for the first time. It states: "If the BSI's recommendations are followed, the security vulnerability 'only' led to the outflow of metadata." In addition, meetings created in WebEx before May 28 that are still pending should be deleted and recreated. "This includes, in particular, regular appointments created before 28/05/2024." Otherwise, meetings could still be guessed and, if no password protection is set, could probably also be accessed.
The BSI, which was itself affected by the security vulnerability, also states in the security warning that the BSI has reported the incident to the Federal Data Protection Commissioner responsible for federal authorities. This should also be considered a notice to all other affected parties: The WebEx gap should be reported by those affected to the relevant supervisory authority. Cisco itself admitted to iX that both on-premises and cloud users were affected by the error and warned users about configuration errors.
(olb)
