-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2022-056
Product:                   Zoom Phone System Management
Manufacturer:              Zoom Video Communications, Inc.
Affected Version(s):       N.A.
Tested Version(s):         N.A.
Vulnerability Type:        Unverified Ownership (CWE-283)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2022-11-18
Solution Date:             2023-08-01
Public Disclosure:         2023-08-10
CVE Reference:             Not yet assigned
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Zoom is a video conferencing and messaging software with support for many 
different devices. Zoom also provides phone services for PSTN integration. 
Besides the multi-platform software clients for Windows, Mac and Linux, 
Zoom Phone also offers the possibility to integrate desk phones in the form 
of SIP devices and so-called Zoom appliances.

The manufacturer describes the product as follows (see [1]):

"Zoom Phone is a feature-rich cloud phone system for businesses of all 
sizes.

- - - - Modern Cloud Phone System: Zoom Phone includes traditional PBX features 
that enable employees to talk and interact in new ways to keep businesses 
moving.

- - - - Centralized Management: Provision and manage users and intelligently 
monitor business interactions with an easy-to-use centralized 
administration portal."

Due to unverified ownership (CWE-283), an attacker can claim a large number 
of devices that do not belong to him via the Zoom Phone Administration Panel. 
This allows controlling those devices remotely, e.g. manipulate the device 
configuration.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

In order for a Zoom device to be managed centrally, an administrator must 
add the MAC address of the device in the Zoom Phone Administration Panel 
and assign it to a user or a phone number. By assigning a configuration 
template, the phone can then be managed centrally.

Finally, this configuration is pulled by the device via HTTPS and the 
settings are changed.

Since there are no restrictions for adding MAC addresses of supported 
devices in the Zoom Administration Panel, configurations can also be 
rolled out to foreign devices to compromise them remotely.  
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Log in to the Zoom Administration Panel.
2. Navigate to "Phone System Management" > "Phones & Devices".
3. Navigate to the "Unassigned" tab.
4. Import a CSV file including a range of device MAC addresses.

Afterward, each assigned device in factory settings will download and
enforce the settings of the assigned configuration template, e.g. 
change the administrator password.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Not yet fixed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-11-11: Vulnerability discovered
2022-11-18: Vulnerability reported to manufacturer
2022-11-21: Vulnerability confirmed by manufacturer
2022-11-30: Manufacturer asks for more information and recommendations
2022-12-16: Manufacturer answers that the recommended measures contradict
            the design decision
2023-01-11: Manufacturer informs that they are still in discussion with regard
            to this issue
2023-06-28: Manufacturer is asked for an update or statement
2023-06-30: Manufacturer asks for an updated disclosure timeline and for 
            more technical details
2023-06-30: A draft of the detailed blog post of this issue is provided
2023-07-07: Manufacturer asks for details of affected hardware
2023-07-07: CVE-IDs of affected hardware vulnerabilities are provided
2023-07-17: Manufacturer informs that an updated statement will be 
            provided before 2023-08-10; furthermore, the manufacturer
            plans remediation measures later in 2023
2023-08-01: Zoom has advised that for all new users and changes 
            to configuration templates, modifications to the firmware update URL 
            will no longer be allowed. 
            In addition, further measures are to follow later in the year, 
            such as a limited number of unassigned devices, 
            a limited time window for the validity of unassigned devices 
            and monitoring measures to detect abuse.
2023-08-10: Public disclosure at BlackHat USA[4]
2023-08-11: Public disclosure at https://blog.syss.com[5]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Zoom Phone Product Website
    https://explore.zoom.us/en/products/zoom-phone/
[2] SySS Security Advisory SYSS-2022-056
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-056.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] BlackHat USA Briefings Session
    https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341
[5] Detailed Blog Post
    https://blog.syss.com/posts/zero-touch-pwn/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmUAtfwACgkQrgyb+PE0
i1O3nA//Yq9UelbGmPEFPdFtQGVuVfWjidaStIMnR0CCkyEjJ0AssQo95XLdQugB
2GYJVZsVF/ShmNVRFhLNBAUvYW/wdcBTw2yBRhl6aXxVSdVk7Uk1sZTgQSnE6cQ0
dYmRPNZxXKOvBhJyL6VytVwvCyLOWvJ2xDGr8jUeq90QQc1MUKYsq/SBYa7cWRIx
ZslxozcjetvcyyqhqX22gLhfilKgW/wX0j3O+bJpNrbtKmXMzX/d8VuNioSzTyv4
DC5+WW7jg572atI6JCG+QL8KKS5RF0bRjoU15u+Dmr+NceC42blEq6AAsVJu/NcP
kFfzInjAHb4r+GLztkSBU768NMGdEjCEXFbe61sp185bSWPjs7pVcZCNAghwZ48C
AsU6uP5HKtOusPNM8zhJGX+4a26iVg8NXfqxgYT+w17V/1APNGRzN8MDqJCekJsx
03Si58f+7vqo2UhEaWCBYxE41vdtTVEmNodwwiM/u+27O3gcSCvKIp4VZxnx7+VW
LmhQm8BQenH27ikoK2Nj9JLmnusuigROwliwRRJ3rFpb7fcfrMAIypHIueyBrA56
rPscWNpjpAusvHc0TYAvXZi4MF93BXMeDNfFxRDmFFzdW6i5KlJ9iOXADup8to5H
ygF2xozxok8lY7oIW1x/bSGjKJBuF0t4gT0R/Y4XFutA6w3Cfvg=
=mRN/
-----END PGP SIGNATURE-----