Pexip security bulletins

The following security bulletins are published by Pexip for issues affecting our own products — Pexip Infinity, the Pexip Connect apps, the VMR self-service portal, and Enhanced Room Management. There are currently no security bulletins for any other Pexip products, including the Reverse Proxy and TURN Server and Pexip Justice.

For information about external issues arising in third-party software and operating systems that may impact these Pexip products, see https://www.pexip.com/trust-center. Where relevant, updates will be incorporated into each Pexip product, so we recommend that you frequently check for and always run the latest versions of each product. If you have deployed Pexip's VMR self-service portal, Reverse Proxy and TURN Server, or Pexip Justice products, you should also ensure that the appliance's operating system is regularly patched against the latest security bugs.

More information specific for each of the vulnerabilities can be found via the NIST National Vulnerability Database: http://nvd.nist.gov/.

Pexip Infinity

This list covers issues addressed in Pexip Infinity v32.0 and later. For issues addressed in v31.x or earlier, see our documentation for previous releases.

Each bulletin addresses a number of vulnerabilities in the operating system software used by Pexip Infinity. The bulletins include an assessment of the issues, the impact to the Pexip Infinity platform, and resolution details.

In the table below, "Severity" reflects the severity of the issue as calculated from the CVSS Base Score. "Risk" reflects the risk associated with each vulnerability in the context of the Pexip Infinity product environment.

Reference Description Severity Risk Updated Impacted versions Addressed in version
CVE‑2024‑6387

A race condition was found in OpenSSH's server. If a client does not authenticate within 120 seconds then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code with root privileges.

CVSS3.1 base score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Discussion: Exploitation of this vulnerability requires an attacker to sustain a large number of connection attempts for a long time (in the original report, which documents an attack on a 32bit architecture, up to 8 hours of attempts were required for a successful exploit). Pexip Infinity runs on a 64bit architecture where the attack is believed to be possible, but where the attack would have to be sustained for several days before success.

From version 27, Pexip Infinity further limits connection attempts to a rate lower than that used in the documented attack. While this will not prevent a successful attack, it will slow an attacker down, thus increasing likelihood of detection as the attack would have to be sustained for longer before success is achieved.

Mitigation: Ensure SSH access to Infinity nodes is restricted to trusted networks and/or disable SSH using the Management Web Interface.

Resolution: Upgrade to Pexip Infinity v34.2

High High July 2024 26 ‑ 34.1 34.2
CVE‑2024‑33850

Incomplete access control checks for participants in the waiting room of a locked conference exposes conference information and may allow these participants to perform actions on the conference.

CVSS3.1 base score: 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L)

Discussion: When a conference is locked, participants attempting to join the meeting will be authenticated according to the configured conference access policy and then placed into a waiting room until explicitly admitted by an existing conference host participant. It is possible for participants in the waiting room to obtain the conference roster list and to perform actions on the conference according to the role they would possess after being admitted to the meeting.

Mitigation: There is no mitigation available to prevent exposure of the conference roster list to waiting room participants. Minimise the actions available to a waiting room participant by ensuring that locked conferences have a Host PIN configured (or require strong authentication using Identify Providers) so that waiting room participants will only have Guest permissions.

Resolution: Upgrade to Pexip Infinity v34.1

High High   4 ‑ 34.0 34.1
CVE‑2023‑34058

VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted Guest Operation Privileges

CVSS3.1 base score: 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Discussion: Exploitation of this vulnerability requires that the VMware administrator has issued SAML SSO credentials for a user to perform VM Guest Operations and to also have assigned one or more Guest Aliases to the Infinity virtual machines.

Mitigation: Pexip neither recommends, nor supports, the assignment of Guest Aliases to Infinity virtual machines. Ensure that no Guest Aliases have been inadvertently assigned to Infinity virtual machines: https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html

Resolution: Upgrade to Pexip Infinity v34

High High March 2024 All before 34.0 34.0
Multiple Resolved minor issues: CVE-2016-10744, CVE-2023-4911, CVE-2023-44487, CVE-2023-45284, CVE-2023-46218, CVE-2023-46219, CVE-2023-5363, CVE-2023-5678, CVE-2023-6237, CVE-2023-6780, CVE-2024-0727     March 2024   34.0
Multiple

Resolved minor issues: CVE-2020-36516, CVE-2021-32292, CVE-2022-20572, CVE-2022-3107, CVE-2022-3435, CVE-2022-3524, CVE-2022-3543, CVE-2022-3623, CVE-2022-3707, CVE-2022-4378, CVE-2022-48554, CVE-2023-0179, CVE-2023-0386, CVE-2023-0458, CVE-2023-0459, CVE-2023-0461, CVE-2023-0465, CVE-2023-0466, CVE-2023-0590, CVE-2023-1095, CVE-2023-1206, CVE-2023-1249, CVE-2023-1252, CVE-2023-1255, CVE-2023-1998, CVE-2023-20588, CVE-2023-20900, CVE-2023-22998, CVE-2023-23006, CVE-2023-23931, CVE-2023-2650, CVE-2023-2975, CVE-2023-31130, CVE-2023-31248, CVE-2023-3138, CVE-2023-32233, CVE-2023-3390, CVE-2023-3446, CVE-2023-36053, CVE-2023-3609, CVE-2023-3610, CVE-2023-3611, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-38039, CVE-2023-3817, CVE-2023-38633, CVE-2023-39318, CVE-2023-39319, CVE-2023-4004, CVE-2023-40217, CVE-2023-4128, CVE-2023-4147, CVE-2023-4569, CVE-2023-4622, CVE-2023-4911

    October 2023   33.0
  Resolved minor issue: CVE-2023-38180     October 2023   32.3
CVE‑2023‑29331

A vulnerability exists in .NET when processing malicious X.509 client certificates that may consume excessive CPU and lead to a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 32.1

High High July 2023 27.0 ‑ 32.0 32.1
CVE‑2023‑37225

Cross-site scripting vulnerability in legacy webapp ("Webapp1") when using preconfigured links.

CVSS3.1 base score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Discussion: An attacker may achieve cross-site scripting by convincing a user to activate a crafted preconfigured link using the legacy Infinity Connect web app ("Webapp1").

  • Since Infinity v26, the default configuration enables the Content-Security-Policy response header, allowing the client to enforce the domains from which script contents may be fetched. These include the wildcard domains *.microsoft.com and *.office.com. An attacker able to control or host a script under these domains may cause the application to execute attacker-controlled code.
  • In Infinity v25, the Content-Security-Policy response header is disabled by default, but may be enabled on this software version via the security wizard. The Content-Security-Policy response header will include the wildcard domains *.microsoft.com and *.office.com. An attacker able to control or host a script under these domains may cause the application to execute attacker-controlled code.
  • In Infinity v18-24, the Content-Security-Policy response header is disabled by default, but may be enabled in these software versions via the security wizard. There are no wildcard domains present in the "script-src" section of the Content-Security-Policy response header in these versions.
  • In Infinity before v18, there is no support for the Content-Security-Policy response header and thus no domain-based restrictions on scripts are available.

Mitigation:

  • On Infinity v31, access to the webapp can be disabled via the Administrator interface (Web App > Web App Paths) by deselecting the Enabled option for webapp1.
  • Infinity v26 onwards allow the Administrator to configure the enabled state and contents of the Content-Security-Policy header via the Administrator interface (Platform > Global Settings > Security). Ensure that the Content-Security-Policy header is enabled and review local modifications to determine if further wildcard domains have been added (and, if they have, consider whether a non-wildcard domain could be used instead). Where the Pexip Scheduling Outlook Add-In is not in use, both *.microsoft.com and *.office.com may safely be removed from the Content-Security-Policy.
  • For Infinity v18-25, ensure that the Enable Content-Security-Policy for Conferencing Nodes setting in the security wizard has been configured to yes (it defaults to no in these software versions). Note, however, that the contents of the Content-Security-Policy response header are not configurable on these software versions.
  • For Infinity v5-17, there is no mitigation.

Resolution: Upgrade to Pexip Infinity 32.0. For deployments running Infinity v30.x and v31.x, contact your authorized Pexip support representative for a software bundle fix.

Credit: This issue was responsibly disclosed by https://github.com/40826d.

High High July 2023 5 ‑ 31.3 32.0
Multiple

Resolved minor issues: CVE-2022-3515, CVE-2022-3736, CVE-2022-3924, CVE-2022-4203, CVE-2022-4304, CVE-2022-32221, CVE-2022-38725, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-1255, CVE-2023-2650, CVE-2023-23916, CVE-2023-26463, CVE-2023-27537, CVE-2023-28484, CVE-2023-29469

    June 2023   32.0

Connect apps

Each bulletin addresses a number of vulnerabilities in the software used by the Connect apps. The bulletins include an assessment of the issues, the impact on the Connect app, and resolution details.

Bulletin Description Risk Updated Impacted versions Addressed in version
CVE-2024-38392

Insufficient authenticity checks in loading resources allow an attacker to cause the application to run untrusted code.

CVSS3.1 base score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.13.0 and Connect mobile app v1.13.0

Credit: This issue was responsibly disclosed by Mand Consulting Group

Medium July 2024   1.13.0
CVE-2022-2478

Use after free in PDF in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High March 2023 Unknown 1.12
CVE-2022-2295

Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High March 2023

Unknown

1.12
CVE-2022-2294

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High March 2023 Unknown 1.12
CVE-2022-2162

Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 103.0.5060.53 allowed a remote attacker to bypass file system access via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High

March 2023 Unknown 1.12
CVE-2022-2011

Use after free in ANGLE in Google Chrome prior to 102.0.5005.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High March 2023 Unknown 1.12
 

Resolved minor issue: CVE-2022-1867

 

  March 2023   1.12

VMR self-service portal

Each bulletin addresses a number of vulnerabilities in the software used by the VMR self-service portal. The bulletins include an assessment of the issues, the impact on the VMR portal, and resolution details.

Bulletin Description Risk Updated Impacted versions Addressed in version
CVE-2023-40236

The Pexip VMR self-service portal before v3 uses the same SSH host keys across different customers' installations, which allows man-in-the-middle attackers to spoof fake instances by leveraging these keys.

CVSS 3.1 base score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: Manually remove and regenerate the SSH host keys on each VMR Portal instance.

Resolution: Upgrade to VMR portal v3.

High October 2023 All prior to version 3 3

Enhanced Room Management

Each bulletin addresses a number of vulnerabilities in the software used by ERM. The bulletins include an assessment of the issues, the impact on the VMR portal, and resolution details.

Bulletin Description Risk Updated Impacted versions Addressed in version
CVE-2024-6387

A race condition was found in OpenSSH's server. If a client does not authenticate within 120 seconds then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code with root privileges.

CVSS3.1 base score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: The mitigation for older versions (prior to v2.0.1) is to disable the Proxy service in the ERM Installer and redeploy, however we recommend upgrading to v2.0.1 as soon as practicable.

Resolution: Install v2.0.1 security upgrade 2024-07-09.

High July 2024 All prior to version 2.0.1 2.0.1 security upgrade 2024-07-09