Full Report
Cisco warned customers today of a vulnerability in Webex for BroadWorks that could let unauthenticated attackers access credentials remotely. [...]
Analysis Summary
# Vulnerability: Cisco Webex for BroadWorks Credential Exposure via Unsecure SIP Transport
## CVE Details
- CVE ID: Not explicitly provided in the text, only noted as "A low-severity vulnerability in Cisco Webex for BroadWorks Release 45.2". *A related, actively exploited Cisco vulnerability (CVE-2023-20118) is mentioned, but it pertains to VPN routers, not this specific Webex flaw.*
- CVSS Score: Low-severity (Specific score not provided)
- CWE: Sensitive Information Disclosure (Implied by exposing credentials in SIP headers)
## Affected Systems
- Products: Cisco Webex for BroadWorks, Cisco BroadWorks (on-premises)
- Versions: Release 45.2 (and potentially earlier versions susceptible to the unsecure SIP configuration)
- Configurations: Instances running in Windows environments where unsecure transport is configured for SIP communication.
## Vulnerability Description
A low-severity vulnerability exists which allows an unauthenticated, remote attacker to potentially access data and credentials if unsecure transport (unencrypted) is configured for the Session Initiation Protocol (SIP) communication within the affected Webex for BroadWorks environment. Furthermore, a related issue allows an authenticated user to access credentials in plain text within client and server logs. Exploitation could lead the attacker to access data, credentials, and impersonate the user. The flaw is tied to sensitive information being exposed in SIP headers.
## Exploitation
- Status: No evidence of malicious use in the wild reported by Cisco PSIRT (Product Security Incident Response Team).
- Complexity: Low (due to the potential for an unauthenticated remote attacker to gain initial access if unsecure transport is active).
- Attack Vector: Network
## Impact
- Confidentiality: High (Exposure of credentials and user data)
- Integrity: Medium (Potential for user impersonation)
- Availability: Low (The main impact is data exposure, not service disruption)
## Remediation
### Patches
- Cisco has pushed a configuration change to address the flaw. Customers are advised to restart their Cisco Webex app to ensure the fix is applied. (Specific patch version number not listed, but the configuration change is the primary fix).
### Workarounds
1. **Configure Secure Transport for SIP Communication:** Admins should immediately configure secure transport (encryption) for SIP communication to protect data in transit.
2. **Rotate Credentials:** Cisco recommends rotating credentials to mitigate the risk if credentials were already exposed prior to remediation.
## Detection
- **Indicators of Compromise:** Monitoring network traffic for unencrypted SIP communication containing sensitive header data. Logs showing unauthenticated access attempts or unusual activity associated with SIP sessions.
- **Detection Methods and Tools:** Network monitoring tools capable of inspecting SIP headers and transport protocol configuration. Reviewing client and server logs for plaintext credentials.
## References
- Vendor Advisory: [sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-credexp-xMN85y6](defanged)