BigBlueButton 2.2.29 Brute Force

2020-11-25T00:00:00
ID PACKETSTORM:160238
Type packetstorm
Reporter Ismail Saygili
Modified 2020-11-25T00:00:00

Description

                                        
                                            `# Title: BigBlueButton Meeting Access Code Brute Force Vulnerability  
  
# Google Dork: N/A  
  
# Date: 24.11.2020  
  
# Author: Seccops (https://seccops.com)  
  
# Vendor Homepage: bigbluebutton.org  
  
# Version: 2.2.29 and previous versions  
  
# CVE: CVE-2020-29042  
  
  
  
  
  
=== Summary ===  
  
An issue was discovered in BigBlueButton through 2.2.29.  
  
A brute-force attack may occur because an unlimited number of codes can be  
entered for a meeting that is protected by an access code.  
  
  
  
  
  
=== Description ===  
  
BigBlueButton is an open source web conferencing solution for online  
learning that provides real-time sharing of audio, video, slides,  
whiteboard, chat and screen. It also allows participants to join the  
conferences with their webcams and invite guest speakers.  
  
  
  
An unlimited number of codes can be entered for a meeting that is protected  
by an access code. This situation causes a brute force attack.  
  
The following is a brute force attack for the access code of a meeting with  
a known meeting link: https://imgur.com/a/jaoOkwT  
  
  
  
  
  
=== Impact ===  
  
An attacker who knows a meeting link protected by an access code; By  
breaking the access code with brute force attack, it can make social  
engineering attacks in the meeting, collect all the confidential  
information/documents that were spoken and shared in the meeting, disturb  
other users in the meeting or sabotage the meeting.  
  
`