The IT security researchers at TrustWave have discovered critical zero-day vulnerabilities in video conferencing products developed by Lifesize which, if exploited by attackers can cause a great deal of damage.
Lifesize is an audio and video telecommunication firm based in the United States with offices in Africa, Europe, and the Middle East. Its products are used by tens of thousands of businesses around the world like LinkedIn, eBay, Netflix, and PayPal, etc.
According to a blog post by TrustWave’s Simon Kenin, the zero-day resulting in a coding error could allow an attacker to capitalize on PHP files found in the Lifesize support section and default passwords shipped with Lifesize products to gain a foothold into an organization – or when paired with another vulnerability, gain access root privileges on the Lifesize product’s system and have full persistence on the underlying network.
Currently, the vulnerable products include Lifesize Team, Lifesize Room, Lifesize Passport and Lifesize Networker. Lifesize was informed about the presence of zero-day in January but initially, the company decided not to issue security patches for any of the reported vulnerabilities “due to the products having end of life or end of sale dates announced.”
However, Kenin maintains that these vulnerabilities are critical which can allow attackers to gain an initial foothold for inside the corporate environment.
“The command injection vulnerabilities I found would run system commands as the webserver, in this case, Apache. While this usee is limited, it can still have a big impact as it would give an initial foothold for an attacker inside the corporate environment those Lifesize products are located at,” explained Kenin.
“If you combine this LPE exploit together with my command injection vulnerability, you could achieve root privileges on the Lifesize product’s system and have full persistence on the device and its underlying corporate network,” added Kenin.
If your company or institution is using any of the aforementioned products; get in touch with Lifesize as the company is urging customers to contact its support for a hotfix.
On the other hand, TrustWave plans to release the proof of concept (PoC) code for this vulnerability in the next couple of weeks. This will allow administrators and security researchers to verify if the products are still vulnerable. Therefore, Lifesize users are advised to apply the hotfix as soon as possible.