The US cybersecurity agency CISA says four vulnerabilities found last year in Owl Labs video conferencing devices — flaws that require the attacker to be in close range of the target — have been exploited in attacks.
CISA on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.
Two of the security holes affect Realtek (CVE-2014-8361) and Zyxel (CVE-2017-6884) products and they are known to have been exploited by botnets. Another vulnerability added by CISA to its catalog is CVE-2021-3129, a Laravel vulnerability for which exploitation attempts were first seen in 2021. The fourth is CVE-2022-22265, a Samsung Android vulnerability that Google said had been exploited in the wild since early 2021.
Threat intelligence firm GreyNoise has confirmed that the Realtek, Zyxel and Laravel vulnerabilities are still being targeted in attacks.
The remaining four vulnerabilities added by CISA to its KEV list impact Owl Labs’ Meeting Owl video conferencing product. The device, shaped like an owl, features a 360° conference camera, a mic, and a speaker, and the vendor says it gets smarter over time.
The Meeting Owl vulnerabilities were discovered last year by researchers at Swiss cybersecurity firm Modzero. They include inadequate encryption, missing authentication, hardcoded credentials, and improper authentication issues.
Exploitation of these flaws can allow an attacker to take control of the targeted Meeting Owl device and turn it into a rogue access point.
However, for each vulnerability, Modzero noted in its technical report that an attacker needs to be in Bluetooth range — and in some cases in Wi-Fi range — of the targeted Meeting Owl device for exploitation.
Owl Labs released patches for the vulnerabilities in the summer of 2022, shortly after the issues were publicly disclosed by Modzero.
When Modzero published its research, it said five CVE identifiers had been assigned to the discovered vulnerabilities. One of them was added by CISA to its KEV catalog shortly after disclosure and the remaining four were added this week.
Exploiting vulnerabilities that require the attacker to be in close physical range involves significant preparation. These types of attacks would likely be conducted by a highly motivated and sophisticated attacker as part of an espionage campaign rather than as part of opportunistic operations.
Owl Labs says more than 150,000 organizations across 156 countries use its technology, including a vast majority of Fortune 100 companies, as well as government organizations and educational institutions.
There do not appear to be any public reports describing attacks involving exploitation of Owl Labs product vulnerabilities, but CISA clarified in the past that only flaws for which it has reliable evidence of exploitation in the wild are added to its KEV catalog.
SecurityWeek has reached out to both CISA and Owl Labs for more information. Based on its brief initial response, Owl Labs does not appear to be aware of any attacks. The company is looking into the matter with CISA and waiting to hear back from the agency.
UPDATE on 10/06/2023: CISA has decided to remove the Owl Labs CVEs from the KEV catalog.
Related: Regulators Urge Video Conferencing Companies to Improve Security, Privacy
Related: 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
Related: Zoom Patches Serious macOS App Vulnerabilities Disclosed at DEF CON
