Talos Vulnerability Report

TALOS-2019-0969

Zoom conference room connector service insufficient session invalidation

March 5, 2020

Summary

Zoom Conference Room Connector services perform insufficient session invalidation upon certain user administration tasks which enable a demoted or deleted user to still access the room administration interface. If a user has administrative access to the connected device and if this access is revoked by removing the user from the administrator group or by deleting the user altogether, the user’s access isn’t immediately restricted.

Tested Versions

Zoom administrator portal as of 25.11.2019.

Product URLs

https://zoom.us

CVSSv3 Score

6.4 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-613: Insufficient Session Expiration

Details

Zoom is a video conferencing solution that offers a myriad of features. One of the services offered is Zoom Conference Room Connector which allows third-party solutions and devices to be connected and managed through Zoom’s services.

When properly configured, 3rd party conference room management requires a local running network service which tunnels HTTP requests from the internet to the third-party device via Zoom’s servers. In short, this allows authenticated administrative access to third-party devices over the internet, even if devices aren’t directly accessible.

To configure access to a third-party device through Zoom servers, a Zoom user needs to be an administrator, then create a room connector ID, install Zoom Connector on the local network and provide Zoom with a username and password for this device. When this is done, the user that is an administrator in the organization can visit a link that fits this form:

hxxps://interop-022.zoom.us/device-session/.XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/ui/web

Visiting a link like this leads to the administrative interface of the third-party device.

When opening a valid URL, a check is performed and only a logged-in Zoom user with correct access rights (administrator in the organization) is allowed access to it. However, if another administrator revokes the first user’s access, the session isn’t immediately invalidated and the user can manage the third-party device. This session persists until it expires by default approximately 12 hours later. A similar problem occurs when administrators are automatically logged out from the Zoom interface for inactivity: The user can still access the device using the URL until the session times out approximately 12 hours later.

Additionally, there is a difference between the way Zoom’s web application handles access to interoperability interface from invalid or logged-out users. Namely, when directly accessing a URL of the above mentioned form (without need for being logged into a Zoom account), if the UUID part of the URL is valid a username/password prompt is displayed, while if the UUID is invalid the request is redirected to the main page. This potentially allows enumeration of valid UUID values.

Timeline

2019-12-05 - Vendor Disclosure
2019-12-22 - Vendor Patched
2020-03-05- Public Disclosure

Credit

Discovered by a member of Cisco Talos.

This vulnerability has not been disclosed and cannot be viewed at this time.