On October 31, 2019, Zoom was notified of a security vulnerability discovered in our platform for the Zoom Connector for Cisco, Poly, and Lifesize. The Zoom Connectors for Cisco, Poly, and Lifesize are optional components of our Conference Room Connector product. The Connectors are so named because they connect Zoom’s cloud platform to hardware conference room systems for enterprise management and a one-touch experience.
When an authenticated Zoom administrator used the Zoom Connector to access the Management Console of an H323/SIP endpoint, a unique random URL was generated for that administrator’s login to the managed device. If a bad actor were to somehow obtain that URL, for example through an exploit of the administrator’s browser, they could access the device administration functions without logging in. The URL would not expire and would continue to be accessible even after the administrator had logged out or changed their password on the Zoom web portal.
On November 19, we released a patch on Zoom’s backend that resolved this security issue by removing the authentication token from the URL and switching to a temporary session-based token. Customers were not required to update their software. The same week we did alert customers with Zoom Connectors that they should check their device logs in the Room Management section of their Administrator portal for unusual activity or unauthorized access. Aligned with responsible disclosure norms, Zoom notified said customers to the security issue once it was resolved, not before, to avoid alerting bad actors to an exploitable vulnerability.
The privacy and security of Zoom’s users is our top priority. We were glad we could resolve this matter to ensure the continued security of our platform.
CVSS v3.0 Severity and Metrics
Base Score: 8.1 (High)
Attack Vector: Network
Attack Complexity: High (depends on conditions outside the attacker’s control)
Privileges Required: None
User Interaction: None
Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H