This post describes a security vulnerability in the Fuze collaboration platform, and the mitigation steps that have been taken to correct the issue. The Fuze collaboration platform did not require authentication to access meeting recordings (CWE-284). Shortly after being informed of this issue, Fuze disabled public access to all recorded meetings, and implemented user-configurable controls in the client application to mediate public access to shared meeting recordings. Affected recordings that had already been shared were reviewed and addressed as well. Rapid7 thanks Fuze for their timely and thoughtful response to this issue.

Product Description

Fuze is an enterprise, multi-platform voice, messaging, and collaboration service created by Fuze, Inc. It is described fully at the vendor's website. While much of the Fuze suite of applications are delivered as web-based SaaS components, there are endpoint client applications for a variety of desktop and mobile platforms.

Credit

This issue was discovered by Samuel Huckins of Rapid7 (that's me 😉 ), and is being disclosed in accordance with Rapid7's vulnerability disclosure policy.

Exploitation

Recorded Fuze meetings are saved to Fuze's cloud hosting service. They could be accessed by URLs such as "https://browser.fuzemeeting.com/?replayId=7DIGITNUM", where "7DIGITNUM" is a seven digit number that increments over time. Since this identifier did not provide sufficient keyspace to resist bruteforcing, specific meetings could be accessed and downloaded by simply guessing a replay ID reasonably close to the target, and iterating through all likely seven digit numbers. This format and lack of authentication also allowed one to find recordings via search engines such as Google.

Vendor Statement

Security is a top priority for Fuze and we appreciate Rapid7 identifying this issue and bringing it to our attention. When we were informed by the Rapid7 team of the issue, we took immediate action and have resolved the problem.

Remediation

As of Mar 1, 2017, all meeting recordings now appear to require password authentication in order to be viewed from Fuze's cloud-hosted web application via direct browsing or from the Fuze desktop and mobile clients. This authentication control is configurable by the user via the client applications as of version 4.3.1 (released on Mar 10, 2017). Fuze users are encouraged to update their Fuze client applications in order to take advantage of new access controls. Additional options, such as downloading the recording locally, are available at https://account.fuzemeeting.com/#/recordings.

Disclosure Timeline

  • Thu, Feb 23, 2017: Discovered by Samuel Huckins of Rapid7.

  • Mon, Feb 27, 2017: Vulnerability verified by Rapid7.

  • Mon, Feb 27, 2017: Vulnerability details disclosed to Fuze.

  • Wed, Mar 01, 2017: Fuze disabled public access to meeting recordings.

  • Fri, Mar 10, 2017: Version 4.3.1 of Fuze endpoint client released, providing authentication controls for recorded meetings.

  • Tue, Mar 15, 2017: Vulnerability details disclosed to CERT/CC.

  • Tue, Mar 21, 2017: VU#590023 assigned by CERT/CC to track this issue.

  • Tue, Apr 25, 2017: CERT/CC and Rapid7 decided not to issue a CVE for this vulnerability. The issue was primarily on Fuze's servers, thus the end user didn't have to take any actions, and the issue has already been corrected.

  • Tue, May 02, 2017: Disclosed to the public