Zoom On-Premise Deployments: Improper Access Control

Vulnerability

Zoom On-Premise Meeting Connector MMR versions before 4.8.20220815.130 contain an improper access control vulnerability. This allows an unauthorized actor to access meeting audio and video feeds and cause disruptions. The vulnerability exists in the Meeting Connector component handling meeting join requests.

Exploitation

An attacker who can reach the Zoom On-Premise Meeting Connector MMR can exploit the improper access controls to join a meeting without proper authorization. The exact steps involve sending crafted join requests that bypass authorization checks.

Impact

Successful exploitation grants an attacker unauthorized access to the audio and video feeds of meetings. The attacker can also cause other meeting disruptions, such as dropping participants or interfering with meeting controls. The impact is a breach of confidentiality and availability.

Mitigation

Zoom has released version 4.8.20220815.130 of the On-Premise Meeting Connector MMR, which fixes this vulnerability. Users should upgrade to this version or later. No workarounds are documented. [1]