CVE-2021-34414

Vulnerability

The network proxy page on the web portal for the Zoom on-premise Meeting Connector Controller, Meeting Connector MMR, Recording Connector, Virtual Room Connector, and Virtual Room Connector Load Balancer fails to validate input sent in requests to update the network proxy configuration. This vulnerability affects the following products before the specified versions: Meeting Connector Controller before version 4.6.348.20201217, Meeting Connector MMR before version 4.6.348.20201217, Recording Connector before version 3.8.42.20200905, Virtual Room Connector before version 4.4.6620.20201110, and Virtual Room Connector Load Balancer before version 2.5.5495.20210326 [1].

Exploitation

A web portal administrator can send a crafted request to the network proxy configuration update endpoint. The lack of input validation in the affected component allows the attacker to inject arbitrary commands. No additional authentication beyond administrator privileges is required, and the attack does not involve user interaction. The attacker must have network access to the on-premise deployment's web portal [1].

Impact

Successful exploitation results in remote command injection on the underlying on-premise image. The attacker gains the ability to execute arbitrary commands with the privileges of the web portal service, potentially leading to full compromise of the Zoom on-premise component. The scope of impact includes confidentiality, integrity, and availability of the affected system [1].

Mitigation

Zoom recommends users update to the latest version of the affected products to obtain security fixes. The fixes are available in the following versions and release dates: Meeting Connector Controller and MMR version 4.6.348.20201217, Recording Connector version 3.8.42.20200905, Virtual Room Connector version 4.4.6620.20201110, and Virtual Room Connector Load Balancer version 2.5.5495.20210326 [1]. No workarounds are described in the available references.