Friday, May 22, 2015

Bug in WebEx Productivity Tools Exposed Audio Conference Credentials

I recently found a security bug in Cisco's WebEx Productivity Tools.  The bug caused your audio conferencing credentials to be sent out in meeting invitations.  It was limited in scope to InterCall customers who integrate with WebEx.

Background:
InterCall is an audio conferencing solution and can be used as an alternative to WebEx's built-in audio.  My company is starting to roll out WebEx this way.  InterCall users have a dedicated  conference code and a leader PIN which are your account credentials.  The conference code is meant to be public, but the leader PIN is like a password and should be kept confidential.  Productivity Tools (PT) is an add-on product for WebEx customers.  One of the key features is an integration with Outlook that allows you to create WebEx meetings and send out the invitations from within Outlook.

The Discovery:
First I set up WebEx to use my InterCall account for audio and then downloaded and installed WebEx PT.  Next I created a test WebEx meeting from within Outlook and invited one person.  Upon clicking "Send", PT securely communicated to the WebEx server to auto-populate the conferencing information in the meetng invite.  When the information appeared, I saw my InterCall leader PIN just for a moment before the email was sent.  At first I thought it was a mistake, but inspection of my Sent Items folder showed that my PIN was indeed sent.  The person who received the invite confirmed he got my PIN as well.  Wow!  How could no one at Cisco or my company notice this?  I was unable to find a work-around except for avoiding PT altogether by logging into the WebEx site and creating a meeting from there.
The WebEx meeting host key was also exposed in the email, but that wasn't too worrisome because it changes with each meeting.

The Fix:
I reported this security threat to Cisco (and InterCall) on April 28th.  After pestering them for updates, Cisco Engineering finally confirmed to me on May 14 that it was a defect and that they were working on a fix.  I can now confirm that the bug has been fixed in WebEx Productivity Tools Version 2.36.13013.10003, which was released on May 19, 2015.  I would like to thank both InterCall support and Cisco PSIRT for their attention to this matter.  For reasons that are unclear, Cisco hasn't released a security advisory or security alert about this issue  This blog post will have to suffice.

I'd like to be able to say that technical acumen and advanced hacking were needed to find this vulnerability.  Alas that was not the case!  I was just curious about my new WebEx toy, wanted to understand how it worked, and stumbled upon it. Being curious and questioning things... it's what people in information security tend to do.

Update: On May 28th I received an email from WebEx notifying me about the patch for the vulnerability: