Remote Code Execution in Lifesize Icon (CVE-2019-3702)


Vendor: Lifesize
Product: Lifesize Icon
Version: LS_RM3_3.7.0 (2421)
Vulnerability: Remote Code Execution


LifeSize Icon is a video collaboration platform and consists of various components, e.q. software, video and phone systems.

From the vendor’s website: “For more than a decade, Lifesize has been at the forefront of video collaboration delivering high-quality technology designed to bring people together. Our focus is on developing market-leading products that deliver easy-to-use and scalable audio, web and video conferencing. We combine an integrated, best-in-class cloud-based conferencing experience, with award-winning, easy-to-use HD camera systems and HD phones so that you can connect to anyone, anywhere. It’s a meeting experience like no other.”
Issue Description

While analyzing the implementation of LifeSize Icon Software, one Remote Code Execution vulnerability has been identified, which can be exploited in order to execute arbitrary commands within the DNS Query address field. This vulnerability can be exploited by authenticated attackers with access to the web interface.

The system provides a JSON API, which exposes various methods like the DNS Query function. This function contains a address field that can be exploited with a remote command execution.

The following HTTP request illustrates this approach:





CVSSv3 Base Score

CVSS Base Score: 8.8



Penetration Testing ermöglicht das Erkennen von operativen Risiken und liefert nützliche Entscheidungskriterien für die Auswahl effektiver sowie effizienter Schutzmaßnahmen. Es stellt also einen wesentlichen Baustein eines funktionsfähigen Sicherheitsprozesses dar und identifiziert, wie oben gezeigt, unbekannte und bekannte Schwachstellen und zeigt darüber hinaus, inwieweit die IT-Infrastruktur den Compliance-Vorgaben entspricht. Folglich lässt sich die Sicherheit der IT-Systeme und Applikationen erhähen und durch einen externen Dritten bestätigen.