Zoom On-Premise Deployments: Improper Access Control

Vulnerability

Zoom On-Premise Meeting Connector MMR before version 4.8.20220815.130 contains an improper access control vulnerability [1]. The flaw exists in the meeting management component such that a malicious actor could gain access to meeting audio and video feeds without proper authorization.

Exploitation

An attacker does not require any special authentication or privileges beyond network access to the affected Zoom On-Premise Meeting Connector MMR server [1]. By exploiting the improper access control, the attacker can intercept the audio and video streams of meetings they were not authorized to join.

Impact

Successful exploitation allows the attacker to obtain the audio and video feed of meetings they were not authorized to attend, and may also enable other meeting disruptions [1]. This leads to a compromise of confidentiality of meeting content and potential integrity/availability impacts.

Mitigation

The vulnerability is fixed in Zoom On-Premise Meeting Connector MMR version 4.8.20220815.130 [1]. Users should update to this version or later to mitigate the issue. No workarounds are mentioned in the available references.