====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN046
_____________________________________________________________________

DATE                : 27/01/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cisco Webex Meetings Suite, Cisco
                Webex Meetings Online versions prior to 39.11.5, 40.1.3.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin
_____________________________________________________________________

Cisco Webex Meetings Suite and Cisco Webex Meetings Online
Unauthenticated Meeting Join Vulnerability

High

Advisory ID:      cisco-sa-20200124-webex-unauthjoin
First Published:  2020 January 24 16:00 GMT
Last Updated:     2020 January 24 19:21 GMT
Version 1.1:      Final
Workarounds:      No workarounds available
Cisco Bug IDs:    CSCvs69110
CVSS Score:       Base 7.5


CVE-2020-3142
CWE-284


Summary

    A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex
Meetings Online sites could allow an unauthenticated, remote attendee to
join a password-protected meeting without providing the meeting
password. The connection attempt must initiate from a Webex mobile
application for either iOS or Android.

    The vulnerability is due to unintended meeting information exposure
in a specific meeting join flow for mobile applications. An unauthorized
attendee could exploit this vulnerability by accessing a known meeting
ID or meeting URL from the mobile device’s web browser. The browser will
then request to launch the device’s Webex mobile application. A
successful exploit could allow the unauthorized attendee to join the
password-protected meeting. The unauthorized attendee will be visible in
the attendee list of the meeting as a mobile attendee.

    Cisco has applied updates that address this vulnerability and no
user action is required. There are no workarounds that address this
vulnerability.

    This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin


Affected Products

    Vulnerable Products

    This vulnerability affects Cisco Webex Meetings Suite sites and
Cisco Webex Meetings Online sites releases earlier than 39.11.5 and
40.1.3.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this
advisory are known to be affected by this vulnerability.

    Cisco has confirmed that Cisco Webex Meetings Server is not
affected.


Details

    Determine the Cisco Webex Meetings Suite or Cisco Webex Meetings
Online Release

    To determine the current release on a Cisco Webex Meetings Suite
site or Cisco Webex Meetings Online site, a user can perform the
following steps:
        Log in to the Cisco Webex Meetings Suite site or Cisco Webex
Meetings Online site.
        Navigate to Downloads on the left side of the page.
        Next to Version Information hover over the circled i.
        Check the value displayed next to Page version.


Workarounds

    There are no workarounds that address this vulnerability.


Fixed Software

    Cisco has addressed this vulnerability in Cisco Webex Meetings Suite
sites and Cisco Webex Meetings sites, which are cloud based. No user
action is required. The Details section of this advisory describes how
to determine the current running release.

    Customers who need additional information are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
provider.


    Fixed Releases

    Cisco fixed this vulnerability in page versions 39.11.5 and later
and 40.1.3 and later for Cisco Webex Meetings Suite sites and Cisco
Webex Meetings Online sites. These page versions apply to client
versions T32, T33, T39, and T40. The fix applies to Cisco Webex Meetings
Suite sites and Cisco Webex Meetings sites only. Customers are not
required to update the Cisco Webex Meetings mobile application or the
Cisco Webex Meetings desktop application.


Exploitation and Public Announcements

    The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements of the vulnerability that is described
in this advisory.

    Cisco PSIRT is aware of active use of the vulnerability that is
described in this advisory.


Source

    This vulnerability was found during the resolution of a Cisco TAC
support case.

URL


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200124-webex-unauthjoin


Revision History

Version 	Description 	Section 	Status 	Date

1.1 	Corrected link destination for visible advisory URL in the Summary
section. 	Summary 	Final 	2020-January-24

 1.0 	Initial public release. 	— 	Final 	2020-January-24


Legal Disclaimer

    THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that
omits the distribution URL is an uncontrolled copy and may lack
important information or contain factual errors. The information in this
document is intended for end users of Cisco products.



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================