LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients.
According to LifeSize's website "LifeSize Room combines an immersive, high definition video experience with a rich set of features to deliver a powerful, flexible, and easy-to-use video communication solution."
The LifeSize Room appliance contains an embedded web interface that allows administrative access to the appliance. This web interface fails to sanitize input from unauthenticated clients leading to an authentication bypass and possibly arbitrary code injection.
A remote, unauthenticated attacker can bypass the authentication of the administrative web interface and possibly inject arbitrary code in the administrative system web interface.
Restrict network access
Thanks to Spencer McIntyre of SecureState for reporting this vulnerability.
This document was written by Michael Orlando.