CVE-2021-34416

Vulnerability

The network address administrative settings web portal in multiple Zoom on-premise products fails to validate user-supplied input when updating network configuration. This input validation flaw allows remote command injection on the affected on-premise image. The vulnerability impacts Zoom on-premise Meeting Connector versions before 4.6.360.20210325, Zoom on-premise Meeting Connector MMR versions before 4.6.360.20210325, Zoom on-premise Recording Connector versions before 3.8.44.20210326, Zoom on-premise Virtual Room Connector versions before 4.4.6752.20210326, and Zoom on-premise Virtual Room Connector Load Balancer versions before 2.5.5495.20210326 [1].

Exploitation

An attacker must be authenticated as a web portal administrator to exploit this vulnerability. By sending crafted requests to the network configuration update endpoint, the attacker can inject arbitrary commands. No user interaction beyond the administrator's own actions is required. The injection occurs because the input is not properly sanitized before being processed [1].

Impact

Successful exploitation allows a remote, authenticated administrator to execute arbitrary commands on the underlying on-premise image. This can lead to full system compromise, including data exfiltration, modification of system configuration, and potential lateral movement within the network. The attacker gains command injection at the level of the web application, but the commands run with the privileges of the affected process, which may be elevated [1].

Mitigation

Zoom has released fixed versions for all affected products: Meeting Connector version 4.6.360.20210325, Meeting Connector MMR version 4.6.360.20210325, Recording Connector version 3.8.44.20210326, Virtual Room Connector version 4.4.6752.20210326, and Virtual Room Connector Load Balancer version 2.5.5495.20210326. Users should update to these versions or later to remediate the vulnerability. No workarounds are mentioned in the available references [1].