CVE-2024-20396
📋 TL;DR
A vulnerability in Cisco Webex App's protocol handlers could allow remote attackers to capture sensitive information like credentials by tricking users into clicking malicious links. This affects all users of vulnerable Cisco Webex App versions. Attackers need to be in a privileged network position to observe the transmitted traffic.
💻 Affected Systems
- Cisco Webex App
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture user credentials and other sensitive data transmitted through Webex App, leading to account compromise and potential lateral movement.
Likely Case
Attackers capture session tokens or other sensitive information that could be used for limited unauthorized access.
If Mitigated
With proper network segmentation and monitoring, impact is limited to isolated incidents with quick detection.
🎯 Exploit Status
Exploitation requires user interaction (clicking a link) and attacker network positioning to intercept traffic. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 44.6.0 and later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-ZjNm8X8j
Restart Required: Yes
Instructions:
1. Open Cisco Webex App. 2. Go to Settings > About. 3. Check current version. 4. If below 44.6.0, update through the app's update mechanism or download from Cisco's website. 5. Restart the application after update.
🔧 Temporary Workarounds
Disable automatic protocol handling
allPrevent Webex App from automatically handling certain protocol links that could be exploited.
Manual configuration through Webex App settings > General > uncheck 'Register Webex as default for meetings' and similar protocol handlers
🧯 If You Can't Patch
- Implement network segmentation to limit attacker ability to intercept traffic in privileged positions
- Deploy web proxy filtering to block malicious links and monitor for suspicious protocol handler requests
🔍 How to Verify
Check if Vulnerable:
Check Webex App version in Settings > About. If version is below 44.6.0, the system is vulnerable.Check Version:
On Windows: Check 'About' in Webex App GUI. On macOS: Webex App > About Webex from menu bar.Verify Fix Applied:
Verify version is 44.6.0 or higher in Settings > About after update.📡 Detection & Monitoring
Log Indicators:
- Unusual protocol handler activation events in application logs
- Multiple failed authentication attempts following protocol handler usage
Network Indicators:
- Unusual outbound traffic patterns from Webex App to unexpected destinations
- Protocol handler requests to non-Cisco domains
SIEM Query:
source="webex_app" AND (event_type="protocol_handler" OR url="file://*")