Cisco fixes WebEx flaw that allowed government, military meetings to be spied on

Researchers were able to glean data from 10,000 meetings held by top Dutch gov officials

Cisco squashed some bugs this week that allowed anyone to view WebEx meeting information and join them, potentially opening up security and privacy concerns for highly sensitive meets.

The issues first came to light on May 4 when German news outlet Zeit Online published an investigation into the issues which saw it able to view the meeting details of circa 10,000 Dutch government confernece calls.

The bugs allowed onlookers to find meeting details such as where and when they were being held, the host's identity, duration, attendees, and its agenda. Dutch housing minister Hugo de Jonge's whereabouts were visible via the meeting metadata, and in other cases secretary of state Alexandra van Huffelen and Dilan Yeşilgöz, leader of the People's Party for Freedom and Democracy, were also exposed.

Officials in Germany could theoretically have also been compromised to a greater extent than those in the Netherlands, given that the government, at least in some cases, doesn't password-protect its WebEx confabs, according to cybersecurity expert Inge Bryan speaking to Dutch broadcaster NPO.

The investigators, who received links to thousands of meetings hosted by the German armed forces (Bundeswehr) from Netzbegrünung, the German association for green web culture, were able to drop into the assembly gatherings held by the Social Democratic Party of Germany via phone, for example, all while remaining undetected.

While not explicitly linked to this research, it wouldn't be a stretch to assume that the Russian leak of Bundeswehr calls in March was due to the bug in question.

The method would be more effective when meetings are more heavily populated. Unidentified participants connecting via phone are much easier to detect when meetings are small.

While there's no hard evidence to suggest that the flaws were actually abused by a hostile power, it remains a possibility and the Dutch government has launched an investigation as a result.

Reporters were told it would be difficult to determine whether meetings and been spied on because the logs for them don't date back very far. 

Zeit's Eva Wolfangel explained to NPO [English subtitles] that because WebEx has a single phone number dedicated to joining meetings via phone in each country, all an intruder would have to do is call that number and input the meeting ID to join surreptitiously. That's if it wasn't password-protected, of course.

Joining WebEx meetings via video is password-protected by default, but it wasn't always the case when joining by phone, the investigation revealed.

Potential intruders just had to adjust the numbers in meeting URLs to read information about or gain access to others. The URLs contained sequences of numbers that could be cycled just by counting up and down, rather than them being randomly generated each time.

Using this method, the researchers were able to discover that the German Federal Office for Information Security (BSI) had held multiple meetings with the likes of Europol to discuss foreign espionage. The state capital of Munich is another big WebEx customer in Germany, and investigators were able to suss out that the head of its IT department called a meeting with her staff every Monday morning at the same time.

The private sector was also affected. Various companies across Europe, including those in the defense, tech, and chemical sectors were exposed through the WebEx bugs. 

Cisco drops fixes

Cisco said on June 4 that the bugs were patched on May 28 and that customers who had their meetings compromised have been made aware, based on the logs available to it. 

"In early May 2024, Cisco identified bugs in Cisco Webex Meetings that we now believe were leveraged in targeted security research activity allowing unauthorized access to meeting information and metadata in Cisco Webex deployments for certain customers," it said. "These bugs have been addressed and a fix has been fully implemented worldwide as of May 28, 2024.

"Cisco has notified those customers who had observable successful attempts to access meeting information and metadata based on available logs. Since the bugs were patched, Cisco has not observed any further attempts to obtain meeting data or metadata leveraging the bugs.

"Our investigation is ongoing, and we continue to monitor for unauthorized activity. We will provide updates, if necessary, through regular channels."

El Reg requested additional information from Cisco and the government of the Netherlands but received no response. 

The German BSI, however, offered the following statement: "Cisco Solutions GmbH has comprehensively informed the authorities it knows to be affected about their respective impact. This also included the complete list of affected Webex sessions of the respective authorities. In this context, the BSI was also informed of its own involvement. In addition, there were several incident reports from affected authorities to the BSI.

"Vulnerabilities in software products can occur and do not in themselves provide a basis for a fundamental statement about the IT security level of a product. The BSI minimum standard on video conferencing services provides information on how video conferencing services can generally be used securely for (general) communication regardless of acute vulnerabilities.

"In this specific case, Cisco has closed the exploited vulnerability. The BSI has recently sensitized its target groups to the secure use of video conferencing following such incidents and has drawn attention to corresponding BSI publications. The existing BSI recommendations are currently being reviewed and amended if necessary." ®

More about

TIP US OFF

Send us news


Other stories you might like