RingCentral Security Bulletins

latest update 2024/7/19
CVE
Severity
TITLE
Date
Update Required
CrowdStrike Global Outage July 2024
CVE: 
CrowdStrike Global Outage July 2024
HIGH
SEVERITY:  
HIGH
RingCentral Response
TITLE:  
CrowdStrike Global Outage July 2024
7/19/2024
DATE:  
7/19/2024
NO
Update Required:  
NO
RingCentral is aware of the global computer outage affecting airports, banks, and other businesses today. CrowdStrike reports that the issue involved a defect in a single content update for Windows hosts and that the outage is not a security incident or cyberattack.
RingCentral Availability & Customer Impact
Our Network Operations Center received an advisory from CrowdStrike regarding the incident. Our investigation shows that the impact to RingCentral services was minimal, with no impact to product availability or customer data.
Snowflake Cyber Threat Activity June 2024
CVE: 
Snowflake Cyber Threat Activity June 2024
HIGH
SEVERITY:  
HIGH
RingCentral Response
TITLE:  
RingCentral Response
7/1/2024
DATE:  
7/1/2024
NO
Update Required:  
NO
RingCentral is aware of the blog post from Snowflake, Detecting and Preventing Unauthorized User Access, around their investigation involving a targeted threat campaign against some Snowflake customer accounts. Snowflake has also referenced the blog post from cyber security expert Mandiant, UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion. No RingCentral customers were affected. RingCentral is continuing to monitor the incident and will update this bulletin in case of any changes.
Snowflake Investigation
In the blog post, Snowflake states that they have no evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform. Snowflake also states that the activity appears to be a targeted campaign directed at users with single-factor authentication, and that threat actors have leveraged credentials previously purchased or obtained through infostealing malware. The blog post includes Snowflake recommendations, including Investigative and Hardening Guidelines.
RingCentral Customer Impact
RingCentral employs Snowflake as a data warehousing vendor. Snowflake has not indicated to RingCentral that our customer data is impacted by the incident. However, we have been proactively in touch with Snowflake to ensure we apply Snowflake's recommended best security practices and properly monitor our systems.
Our IT and Security teams have conducted a thorough assessment and found no impact on our customer data on Snowflake. We have checked our security configurations to ensure that any continued attempts at unauthorized access will be unsuccessful. Our Snowflake logins, where applicable, use MFA through our identity provider (IdP).
Okta October 2023 Breach in Okta
CVE: 
Okta October 2023 Breach in Okta
HIGH
SEVERITY:  
HIGH
RingCentral Response
TITLE:  
RingCentral Response
10/30/2023
DATE:  
10/30/2023
NO
Update Required:  
NO
RingCentral is aware of a breach in the Okta Support Case Management System. RingCentral has confirmed, as part of our third-party due diligence program, that no RingCentral data or customer data has been affected. 
Does this incident impact Okta services used by RingCentral?
No. Okta has confirmed that Okta products and services provided to customers were not impacted in any way.  It should be noted that the Okta Support Case Management System is separate from the production Okta service, which is fully operational and has not been impacted. 
For full details on the incident, please refer to Okta’s official publication: https://sec.okta.com/harfiles
The security of our products and services and the privacy of customer information are of the highest importance to RingCentral. We will continue to carefully monitor the overall environment to ensure overall business continuity and secure operations. If you have any further questions about our overall discipline and security posture, please do not hesitate to ask.
CVE-2023-34362
CVE: 
CVE-2023-34362
HIGH
SEVERITY:  
HIGH
MOVEit Transfer Vulnerability
TITLE:  
MOVEit Transfer Vulnerability
6/8/2023
DATE:  
6/8/2023
NO
Update Required:  
NO
RingCentral is aware of the Progress MOVEit Transfer vulnerability, reported by the NIST National Vulnerability Database under CVE-2023-34362. Based on our analysis, we do not believe that RingCentral products and services are vulnerable. RingCentral products and services do not use the MOVEit software.
Description (as reported by NVD): In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements.
See also the Progress notice.
CVE-2022-28751
CVE: 
CVE-2022-28751
HIGH
SEVERITY:  
HIGH
Zoom Local Privilege Escalation in Auto Updater for macOS
TITLE:  
Zoom Local Privilege Escalation in Auto Updater for macOS
8/9/2022
DATE:  
8/9/2022
NO
Update Required:  
NO
RingCentral is aware of the Zoom local privilege escalation vulnerability for macOS clients, CVE-2022-28751 and the follow up vulnerabilities CVE-2022-28756 and CVE-2022-28757. Based on our analysis, we believe that RingCentral products are not vulnerable to these local privilege escalation on macOS vulnerabilities.
This vulnerability corresponds to ZSB-22017 as reported by Zoom against Zoom clients and products
Severity (as reported by Zoom): High
CVSS Score (as reported by Zoom):  8.8
CVSS Vector String (as reported by Zoom): CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description (as reported by Zoom): The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.6 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.
Remediation:
Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.
Source: Reported by Patrick Wardle of Objective-See
Okta January 2022 Compromise
CVE: 
OKTA JANUARY 2022 COMPROMISE
MEDIUM
SEVERITY:  
Medium
RingCentral Response
TITLE:  
RingCentral Response
3/24/2022
DATE:  
3/24/2022
YES
Update Required:  
YES
RingCentral is aware of the breach reported and confirmed by Okta through one of their sub-processors, Sitel. RingCentral uses Okta as part of our internal zero-trust and single sign-on discipline. Sitel provides supplementary Tier 1 support for RingCentral customers in several locations, including Europe. We have no evidence that this incident reported by Okta has in any way impacted RingCentral and we have confirmed with Sitel that they have not seen any cross-over internally from the individual impacted to Sitel employees providing support for RingCentral. 
CVE-2021-34424
CVE: 
CVE-2021-34424
MEDIUM
SEVERITY:  
Medium
Process memory exposure in RCApp, RCM
TITLE:  
Process memory exposure in RCApp, RCM
1/11/2022
DATE:  
1/11/2022
YES
Update Required:  
YES
This vulnerability corresponds to ZSB-21020 as reported by Zoom against Zoom clients and products.
Severity (as reported by Zoom): Medium
CVSS Score (as reported by Zoom):  5.3
CVSS Vector String (as reported by Zoom): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description (as reported by Zoom): A vulnerability was discovered in the products listed in the "Affected Products" section of this bulletin which potentially allowed for the exposure of the state of process memory. This issue could be used to potentially gain insight into arbitrary areas of the product’s memory.
Remediation:
Customers are strongly recommended to update their apps following standard steps defined for MSI and EXE updates in response to the appropriate upgrade prompts.
Affected RingCentral Products: 
·         RCApp (mThor) prior to 21.4.30
·         RCApp (Jupiter) prior to 21.4.30
·         RCM Mobile apps (iOS) prior to 21.4.40208
·         RCM Mobile apps (Android) prior to 21.4.40206
·         RCM Desktop apps (Mac) prior to 21.4.53875
·         RCM Desktop apps (Windows) prior to 21.4.40194
·         RCM Desktop app (Linux) 655666prior to 21.4.53809
·         RCM Rooms Host app (Mac) prior to 21.3.19700
·         RCM Rooms Host app (Windows) prior to 21.3.19702
Based on affected Zoom products:
·         Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
·         Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
·         Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
·         Zoom Client for Meetings for Chrome OS before version 5.0.1
·         Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3
·         Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3
·         Zoom VDI before version 5.8.4
·         Zoom Meeting SDK for Android before version 5.7.6.1922
·         Zoom Meeting SDK for iOS before version 5.7.6.1082
·         Zoom Meeting SDK for Windows before version 5.7.6.1081
·         Zoom Meeting SDK for Mac before version 5.7.6.1340
·         Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2
·         Zoom On-Premise Meeting Connector before version 4.8.12.20211115
·         Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115
·         Zoom On-Premise Recording Connector before version 5.1.0.65.20211116
·         Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117
·         Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117
·         Zoom Hybrid Zproxy before version 1.0.1058.20211116
·         Zoom Hybrid MMR before version 4.6.20211116.131_x86-64
Source: Reported by Zoom in response to a report by Natalie Silvanovich of Google Project Zero
CVE-2021-34423
CVE: 
CVE-2021-34423
HIGH
SEVERITY:  
High
Buffer overflow in RCApp, RCM
TITLE:  
Buffer overflow in RCApp, RCM
1/11/2022
DATE:  
1/11/2022
YES
Update Required:  
YES
This vulnerability corresponds to ZSB-21019 as reported by Zoom against Zoom clients and products.
Severity (as reported by Zoom): High
CVSS Score (as reported by Zoom):  7.3
CVSS Vector String (as reported by Zoom): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Description (as reported by Zoom): A buffer overflow vulnerability was discovered in the products listed in the “Affected Products'' section of this bulletin. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.
Remediation:
Customers are strongly recommended to update their apps following standard steps defined for MSI and EXE updates in response to the appropriate upgrade prompts.
Affected RingCentral Products:
·         RCApp (mThor) prior to 21.4.30
·         RCApp (Jupiter) prior to 21.4.30
·         RCM Mobile apps (iOS) prior to 21.4.40208
·         RCM Mobile apps (Android) prior to 21.4.40206
·         RCM Desktop apps (Mac) prior to 21.4.53875
·         RCM Desktop apps (Windows) prior to 21.4.40194
·         RCM Desktop app (Linux) 655666prior to 21.4.53809
·         RCM Rooms Host app (Mac) prior to 21.3.19700
·         RCM Rooms Host app (Windows) prior to 21.3.19702
Based on affected Zoom products:
·         Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
·         Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
·         Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
·         Zoom Client for Meetings for Chrome OS before version 5.0.1
·         Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3
·         Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3
·         Zoom VDI before version 5.8.4
·         Zoom Meeting SDK for Android before version 5.7.6.1922
·         Zoom Meeting SDK for iOS before version 5.7.6.1082
·         Zoom Meeting SDK for Windows before version 5.7.6.1081
·         Zoom Meeting SDK for Mac before version 5.7.6.1340
·         Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2
·         Zoom On-Premise Meeting Connector before version 4.8.12.20211115
·         Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115
·         Zoom On-Premise Recording Connector before version 5.1.0.65.20211116
·         Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117
·         Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117
·         Zoom Hybrid Zproxy before version 1.0.1058.20211116
·         Zoom Hybrid MMR before version 4.6.20211116.131_x86-64
Source: Reported by Zoom in response to a report by Natalie Silvanovich of Google Project Zero
CVE-2021-45105
CVE: 
CVE-2021-45105
CRITICAL
SEVERITY:  
CRITICAL
Log4j Remote Code Execution
TITLE:  
Log4j Remote Code Execution
12/20/2021
DATE:  
12/20/2021
NO
Update Required:  
NO
RingCentral is aware of the log4j 0-day vulnerability, CVE-2021-44228 and the follow up vulnerabilities CVE-2021-45046 and CVE-2021-45105. Our response and remediations for ‘44228 account for ‘45046 and ‘45105 including updates to log4j 2.16 and log4j 2.17.  Based on our analysis and remediation, we continue to believe that RingCentral products are not vulnerable to the remote code execution vulnerability, including
·  RingCentral Apps (mobile, desktop, Web browser)
·  RingCentral Messaging (also known as Glip)
·  RingCentral Video 
·  RingEX (Message, Video, Phone)
·  RingCentral Engage (Video, Digital)
·  RingCentral Meetings (RCM)
·  RingCentral Contact Center
·  RingCentral Analytics Portal 
·  RingCentral Admin Portal
·  RingCentral General Web 
Severity: CRITICAL
CVSS Score: 10.0
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
CVE-2021-45046
CVE: 
CVE-2021-45046
CRITICAL
SEVERITY:  
CRITICAL
Log4j Remote Code Execution
TITLE:  
Log4j Remote Code Execution
12/20/2021
DATE:  
12/20/2021
NO
Update Required:  
NO
RingCentral is aware of the log4j 0-day vulnerability, CVE-2021-44228 and the follow up vulnerabilities CVE-2021-45046 and CVE-2021-45105. Our response and remediations for ‘44228 account for ‘45046 and ‘45105 including updates to log4j 2.16 and log4j 2.17.  Based on our analysis and remediation, we continue to believe that RingCentral products are not vulnerable to the remote code execution vulnerability, including
·  RingCentral Apps (mobile, desktop, Web browser)
·  RingCentral Messaging (also known as Glip)
·  RingCentral Video 
·  RingEX (Message, Video, Phone)
·  RingCentral Engage (Video, Digital)
·  RingCentral Meetings (RCM)
·  RingCentral Contact Center
·  RingCentral Analytics Portal 
·  RingCentral Admin Portal
·  RingCentral General Web 
Severity: CRITICAL
CVSS Score: 10.0
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
CVE-2021-44228
CVE: 
CVE-2021-44228
CRITICAL
SEVERITY:  
CRITICAL
Log4j Remote Code Execution
TITLE:  
Log4j Remote Code Execution
12/13/2021
DATE:  
12/13/2021
NO
Update Required:  
NO
RingCentral is aware of the log4j 0-day vulnerability, CVE-2021-44228 and the follow up CVE-2021-45046. Our response and remediations to account for CVE-2021-45046, including updates to log4.j 2.16.  
Based on our analysis and remediation, we believe that RingCentral products are not vulnerable to the remote code execution vulnerability, including
·   RingCentral Apps (mobile, desktop, Web browser)
·   RingCentral Messaging (also known as Glip)
·   RingCentral Video 
·   RingEX (Message, Video, Phone)
·   RingCentral Engage (Video, Digital)
·   RingCentral Contact Center
·   RingCentral Analytics Portal 
·   RingCentral Admin Portal
·   RingCentral Meetings (RCM)
Severity: CRITICAL
CVSS Score: 10.0
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".