Cisco WebEx Meetings Server Deployment Passphrase Bypass Vulnerability

A vulnerability in the deployment module of Cisco WebEx Meeting Center could allow an unauthenticated, remote attacker to bypass the passphrase check during the deployment of a virtual machine.

The vulnerability is due to a flaw in the validation of the passphrase.

An attacker could exploit this vulnerability by accessing the deployment URL without the passphrase. A successful exploit could allow the attacker to start the deployment of a virtual machine or interrupt an existing deployment by resetting the status of the deployment itself. This vulnerability can be exploited only if the virtual machine is not already deployed or during the deployment itself. After the virtual machine is deployed, the deployment URL is not valid anymore so the vulnerability cannot be exploited.

Cisco has confirmed the vulnerability in a security notice and released software updates.

To exploit this vulnerability, an attacker must know and have access to the deployment URL which typically should only be given to personnel authorized to access the network in which the targeted device may reside. These requirements would likely decrease the chances of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.