On February 7, Trustwave published a report concerning an exploit method discovered by researchers impacting four legacy Lifesize products:
- Lifesize Teams and Lifesize Rooms, part of the previously retired Lifesize 200 and Lifesize 220 family of products,
- Lifesize Networker, a previously retired gateway for integration between IP and ISDNs, and
- Lifesize Passport, a previously retired USB-based camera system series.
After first learning of this flaw, Lifesize engineering conducted an investigation which confirmed the vulnerability in cases when one of the above products was either deployed outside the firewall on a public IP address, or the attack originated from within the organization by an individual with administrator access to the systems, which is uncommon unless the systems were never configured or still used default login credentials.
Series 200 systems and Lifesize Passport systems have not been sold for more than five years and have been officially end of life since January 2017. Lifesize Networker has not been sold since January 2016, with end of life announced for March 31, 2019. Series 220 systems have not been sold since August 2017. As with all Lifesize products, we remain committed to supporting customers using legacy systems through the end of their product lifecycle.
We have addressed the vulnerability and will be issuing a patch to all Lifesize Cloud customers currently using any of the impacted systems. Additionally, Lifesize customers with 220 Series systems not connected to the Lifesize cloud service can request a hotfix by contacting Lifesize support by telephone, email or by opening a support ticket. For more information, visit: https://www.lifesize.com/en/support/contact-support
Security is of the utmost importance to Lifesize. All products are scanned and go through rigorous security testing using automated and manual processes, including external reviews. In rare instances when security flaws are found in our current lineup of products, they are addressed and patched within a matter of weeks, if not days.
We regret the inconvenience to our customers and are committed to improving our internal processes by which we escalate reported vulnerabilities so that we can address known issues faster.