WebEx: Hundreds of thousands of meetings potentially accessible to the public
The debate about security vulnerabilities in WebEx continues. "Die Zeit" found hundreds of thousands of meetings that were potentially accessible to the public.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Hundreds of thousands of WebEx meetings held by public authorities and companies in Germany, the Netherlands, Italy, Austria, France, Switzerland, Ireland and Denmark are said to have been potentially accessible to the public. This was reported by the weekly newspaper "Die Zeit". It appears that vast numbers of meeting entries could have been found and that it was possible to participate in meetings without a password. The author of dialed into two of these video conferences, one of them a daily of the Federal Office for Migration and Refugees (BAMF) and one at the Barmer health insurance company, and informed the provider Cisco Systems. The WebEx operator only closed the security gap at the end of May.
The Federal Ministry of the Interior, which is also responsible for the Federal Office for Information Security and other affected authorities, continues to speak of an "alleged security vulnerability" in a statement and points out that "vulnerabilities in software products alone do not provide a basis for a fundamental statement about the IT security level of a product". Individual cases and framework conditions are decisive.
No known exploitation beyond "Zeit" research
Due to the short storage period of log data, it was also not fully comprehensible whether the vulnerability had been exploited - however, this was not the case as far back as the log data went. "Cisco Solutions GmbH has informed the customers affected according to its current knowledge and informed the BMI about the basic facts", a spokesperson told heise online. Whether the BSI recommendation for WebEx now needs to be changed is currently being examined.
At the beginning of March, a WebEx conference of high-ranking Bundeswehr officers leaked by the Russian side caused a stir. In their insufficiently secure meeting via the video conferencing system, they had discussed possible deployment scenarios for the German Taurus KEPD-350 cruise missile. At the beginning of May, a "Zeit" report revealed that WebEx meetings could be guessed by simply counting up the meeting ID on the respective instance. However, the Federal Ministry of Defense announced after an initial investigation that there was no direct connection between the two cases.
Greens call for "general audit"
"In addition to several federal ministries and authorities, the Bundestag, parliamentary groups and state chancelleries, several large companies and the BSI itself are apparently also affected," explained Green MPs Misbah Khan and Konstantin von Notz, who are therefore calling for a "general review of our telecommunications infrastructures regarding their integrity". The fact that this did not happen by the beginning of May at the latest is inexplicable. The SPD-led Federal Ministry of the Interior would be responsible for this.
In the case of the German Armed Forces, provider Cisco argued that a configuration issue with the on-premises installation meant that cloud-hosted meetings were not affected. This is precisely what "Die Zeit" is now questioning in its report. Cisco has not yet commented on its report.
(mki)
