Cisco recently issued
a security alert for all companies using the Zoom Connector, mentioning that
this driver could be used maliciously. According to vulnerability
testing specialists, this potential malicious use consists of
unauthorized access to Cisco devices through the Zoom Connector.
Apparently, this
connector allows any user on the Internet who has a Specific Zoom URL to access
the browser interface on Cisco endpoints without using Zoom cloud or endpoint
authentication within the comp firewall i was aiming. If successful, the
unauthorized user could take control of the endpoint, access the audio and
video logs of sessions, and make calls.
Cisco, Poly, and Lifesize
endpoints have web interfaces for managing and controlling browser-based video
devices. Zoom discovered a way to use the browser interface on these endpoints
to allow one touch meeting to join the Zoom service and remote control from the
Zoom service cloud, mentioned by vulnerability testing experts.
Although this was not
implemented for malicious purposes, building The Zoom connectors demonstrated
severe design failures and poor compliance with its users’ enterprise security
protocols.
These zoom connectors
have two components:
- A background web interface that
runs in the Zoom cloud - A Windows server deployed within
the company’s firewall
To deploy one of these connectors, the administrator logs into the
cloud organization’s Zoom account and provides information to a Zoom applet to
learn how to connect to the customer’s network. Based on this information, Zoom
creates a unique key or ID. The administrator then installs the Zoom Connector
application on a Windows server within the firewall. During installation, the
administrator enters the unique Zoom key along with the user name and password
for any video endpoint that the organization wants to enable to join with the
Zoom service.
As a result of the installation process, a unique endpoint-specific
URL that points to the Zoom cloud is created. Any browser that points to this
URL www.zoom.us connects to the video endpoint browser page through the Zoom
Connector as if it were directly connected to the browser interface from within
the organization. In short, the Zoom connector creates a kind of tunnel between
the video endpoint browser interface and the Zoom cloud.
The URL hosted by Zoom did not have authentication controls.
Authentication was not required to log in to the Zoom cloud, and because Zoom
Connector had automatic login credentials for the video endpoint within the firewall, no credentials were required to log in to the
interface of the endpoint browser, mention vulnerability testing experts.
This unsecured URL can be found in the history of any browser that has
used the URL. Therefore, anyone who knows the URL could control the video
endpoint from any browser anywhere on the Internet without login credentials.
This is a serious problem, as many endpoint controls could be enabled
through the browser interface, however, using this Zoom Connector URL, any
unauthorized user could control the video endpoint. According to the
vulnerability testing specialists of the International Institute of Cyber
Security (IICS) a malicious actor could make a monitor seems off when they are
actually logging in any session, logging out and even invoke other
configurations.
Cisco notified Zoom that it had verified the vulnerability and issued
some recommendations for its solution.
