Insufficient Session Expiration in Zoom administrator portal



Published: 2020-03-06
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-613
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Zoom administrator portal
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor Zoom Video Communications, Inc.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Insufficient Session Expiration

EUVDB-ID: #VU25795

Risk: Medium

CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-613 - Insufficient Session Expiration

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to target system.

The vulnerability exists due to insufficient session expiration issue in Zoom Conference Room Connector services. A remote administrator with access to the connected device can access the room administration interface, even if this access is revoked by removing the user from the administrator group or by deleting the user altogether.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom administrator portal: 25.11.2019

External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0969


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###