contact us

While Zoom is in the News, Other Vendors are Also Plagued with Vulnerabilities

by May 13, 2020

While Zoom is in the News, Other Vendors are Also Plagued with Vulnerabilities

The first few months of 2020 had the world thrust apart because of COVID-19. In response, organizations and individuals alike turned to one technology more than any other: teleconferencing software. During the first three weeks of April 2020, Zoom saw a jump of 100 million users despite publicly-disclosed security issues and trending vulnerabilities like CVE-2019-13449 and CVE-2019-13450.

At this point, Zoom’s security issues should be of no surprise to anyone. The CEO of Zoom, Eric Yuan, admitted that “[Zoom] did not design [their] product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.” He goes on to say that with the drastic increase in Zoom users came a utilization of Zoom “in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.” However, Zoom isn’t the only teleconferencing software under attack.

All teleconferencing software products are experiencing a drastic increase in users utilizing the technology in unexpected ways, and adversaries are discovering methods to break and exploit the software. Of the 68 teleconferencing products we analyzed, 877 vulnerabilities were discovered, with 37 of them weaponized over the past 10 years.

Teleconferencing-Weaponization-byVendor

Cisco is affected by 424 Common Vulnerabilities and Exposures (CVEs) respectively, which is the highest CVE count among the top teleconferencing providers. When considering the average Common Vulnerability Scoring System (CVSS), the insecurity of Zoom products stands out, as the CVEs affecting their products have the highest average CVSS v3 base score among top teleconferencing products at 8.2.

One noteworthy observation that did not make headline news is Polycom Corporation, which had the most weaponized vulnerabilities of any other teleconferencing vendor in the market. Out of 37 weaponized teleconferencing vulnerabilities, Polycom had thirteen weaponized vulnerabilities. Seven of those vulnerabilities are classified as remote code execution (RCE) vulnerabilities, one was a privilege escalation (PE) vulnerability, and five were web application vulnerabilities. Of the top eight teleconference vendors, four of these vendors (Zoom, Cisco, Microsoft, and Polycom) have had four or more weaponized vulnerabilities in the last 10 years. Among the 18 weaponized vulnerabilities affecting teleconferencing software in the last three years, three vulnerabilities were observed as trending.

Teleconferencing-Weaponization-byYear

Interestingly, 2018 had the highest number of weaponized teleconferencing vulnerabilities, coming in at nine CVEs. Since 2015, however, the number of weaponized CVEs has increased by a significant margin, accounting for 31 of the 37 weaponized CVEs.

Among Cisco and Zoom’s weaponized CVEs, three vulnerabilities are actively being used in the wild in attacks and malware: CVE-2019-13449, CVE-2019-13450, and CVE-2019-1674. One of Zoom’s web application vulnerabilities, CVE-2019-13449, corresponds to Common Weakness Enumeration (CWE) 20 Improper Input Validation, a CWE that also maps to six other weaponized vulnerabilities in our dataset. CWE 78 OS Command Injection not only maps to Cisco’s PE vulnerability, CVE-2019-1674, but also OWASP Top 10’s A1 category and four other weaponized CVEs across the 37 weaponized CVEs.

The answer to securing an organization’s chosen teleconferencing solution is not as simple as avoiding Zoom. Every major Zoom alternative, including Microsoft’s Skype, Cisco’s WebEx, Polycom’s Viewstation, Lifesize, Teamviewer, and RingCentral, have all had vulnerabilities become weaponized in the last 10 years. Organizations instead need to arm themselves with knowledge of the latest vulnerabilities affecting their chosen solution and the potential impact those vulnerabilities could have from both a risk- and threat-based perspective.

Trending Teleconferencing Vulnerabilities

CVE Attack Classification Vendor Product
CVE-2019-13449 Web App Zoom Zoom
CVE-2019-13450 Web App Zoom Zoom
CVE-2019-1674 Privilege Escalation Cisco Webex Meetings, Webex Meetings Online, Webex Productivity Tools

Contributing authors: Taylor Wong and Nida Stewart