BigBlueButton Meeting Access Code Brute Force Vulnerability

2020.11.25
tr Seccops (TR) tr
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-307


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Title: BigBlueButton Meeting Access Code Brute Force Vulnerability # Date: 24.11.2020 # Author: Seccops (https://seccops.com) # Vendor Homepage: bigbluebutton.org # Version: 2.2.29 and previous versions # CVE: CVE-2020-29042 === Summary === An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code. === Description === BigBlueButton is an open source web conferencing solution for online learning that provides real-time sharing of audio, video, slides, whiteboard, chat and screen. It also allows participants to join the conferences with their webcams and invite guest speakers. An unlimited number of codes can be entered for a meeting that is protected by an access code. This situation causes a brute force attack. The following is a brute force attack for the access code of a meeting with a known meeting link: https://imgur.com/a/jaoOkwT === Impact === An attacker who knows a meeting link protected by an access code; By breaking the access code with brute force attack, it can make social engineering attacks in the meeting, collect all the confidential information/documents that were spoken and shared in the meeting, disturb other users in the meeting or sabotage the meeting.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top