Cisco recently issued a security alert for all companies using the Zoom Connector, mentioning that this driver could be used maliciously. According to vulnerability testing specialists, this potential malicious use consists of unauthorized access to Cisco devices through the Zoom Connector.
Apparently, this connector allows any user on the Internet who has a Specific Zoom URL to access the browser interface on Cisco endpoints without using Zoom cloud or endpoint authentication within the comp firewall i was aiming. If successful, the unauthorized user could take control of the endpoint, access the audio and video logs of sessions, and make calls.
Cisco, Poly, and Lifesize endpoints have web interfaces for managing and controlling browser-based video devices. Zoom discovered a way to use the browser interface on these endpoints to allow one touch meeting to join the Zoom service and remote control from the Zoom service cloud, mentioned by vulnerability testing experts.
Although this was not implemented for malicious purposes, building The Zoom connectors demonstrated severe design failures and poor compliance with its users’ enterprise security protocols.
These zoom connectors have two components:
- A background web interface that runs in the Zoom cloud
- A Windows server deployed within the company’s firewall
To deploy one of these connectors, the administrator logs into the cloud organization’s Zoom account and provides information to a Zoom applet to learn how to connect to the customer’s network. Based on this information, Zoom creates a unique key or ID. The administrator then installs the Zoom Connector application on a Windows server within the firewall. During installation, the administrator enters the unique Zoom key along with the user name and password for any video endpoint that the organization wants to enable to join with the Zoom service.
As a result of the installation process, a unique endpoint-specific URL that points to the Zoom cloud is created. Any browser that points to this URL www.zoom.us connects to the video endpoint browser page through the Zoom Connector as if it were directly connected to the browser interface from within the organization. In short, the Zoom connector creates a kind of tunnel between the video endpoint browser interface and the Zoom cloud.
The URL hosted by Zoom did not have authentication controls. Authentication was not required to log in to the Zoom cloud, and because Zoom Connector had automatic login credentials for the video endpoint within the firewall, no credentials were required to log in to the interface of the endpoint browser, mention vulnerability testing experts.
This unsecured URL can be found in the history of any browser that has used the URL. Therefore, anyone who knows the URL could control the video endpoint from any browser anywhere on the Internet without login credentials.
This is a serious problem, as many endpoint controls could be enabled through the browser interface, however, using this Zoom Connector URL, any unauthorized user could control the video endpoint. According to the vulnerability testing specialists of the International Institute of Cyber Security (IICS) a malicious actor could make a monitor seems off when they are actually logging in any session, logging out and even invoke other configurations.
Cisco notified Zoom that it had verified the vulnerability and issued some recommendations for its solution.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.