• Login
  • Let's Talk
  • Login
  • Let's Talk
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Careers
    • Leadership
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Partners
    • Reseller Partners
    • Technology Partners
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Linkedin
  • Twitter
12.02.18

Vulnerability SPOT Report

Zoom Desktop Conferencing CVE-2018-15715

By Jen O'Neil

Today, a vulnerability in Zoom was disclosed which can be exploited by a local or remote attacker to hijack screen controls and perform other malicious actions. POC code was also released. At the time of this writing there is no patch.

Overview

On November 29, 2018 Tenable researcher David Wells disclosed a vulnerability in Zoom’s desktop conferencing which would allow an attacker to hijack the screen controls, spoof chat messages, and kick attendees out of meetings. The vulnerability, CVE-2018-15715, is listed as “critical” in severity and has a CVSS 3.0 score of 9.9.

Technical Overview

This vulnerability can be exploited by an attacker either remotely or local to the Zoom meeting by sending a specifically crafted User Datagram Protocol (UDP) message which is then processed as if it came from a trusted Transmission Control Protocol (TCP) channel used by authorized servers. Once the attacker is able to trick the server, with the crafted UDP message, the attacker can gain access to the Zoom meeting and take control of screen sharing, spoof chat messages, or kick attendees from the conference.

Zoom servers currently allow unencrypted UDP messages, even if encrypted sessions are enabled, which gives an attacker the ability to exploit this vulnerability without authentication or the need for the encryption key.

In order for an attacker to exploit the vulnerability successfully, the attacker must be aware of an attendee’s IP address or a Zoom server IP address and have the attendee’s meeting ID to fully execute the attack.

Wells released a proof of concept onto GitHub,

Potential Impact

At the current time, if a user is utilizing macOS version 4.1.33259.0925, Windows, Ubuntu version 2.4.129780.0915; an attacker can gain the ability to hijack screen controls, spoof chat messages, or kick attendees off the meeting. There is no research validating that other versions are susceptible to this type of attack, however, it should be assumed that other versions are vulnerable.

In some cases, if users are not attentive, an attacker could utilize the screen control hijacking to install malware on the system to gain further access to the network.

What You Should Do

Zoom has patched their servers to block part of the attack vector. In addition to patching their servers, Zoom has released updates for Windows (version 4.1.34814.1119), macOS (version 4.1.34801.1116), and Linux (version 2.5.146186.1130).

deepwatch recommends that all users update their Zoom desktop client to the latest version as soon as possible to stop the possibility of an attack via this vulnerability.

deepwatch will provide additional information to protect its customers and others if and when it becomes available.

Supporting Information

  • https://www.tenable.com/blog/tenable-research-advisory-zoom-unauthorized-command-execution-cve-2018-15715
  • https://threatpost.com/critical-zoom-flaw-lets-hackers-hijack-conference-meetings/139489/
  • https://github.com/tenable/poc/tree/master/Zoom
  • https://twitter.com/CE2Wells/status/1068156019291746304
  • https://support.zoom.us/hc/en-us/sections/201214205-Release-Notes
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Linkedin
  • Share by Mail

Subscribe to the deepwatch Insider Blog

Related Posts

Vulnerability SPOT Report

02.25.21

CVE-2021-21972 - Vulnerability Found in VMware vCenter Servers and Cloud Foundation

read more

Vulnerability SPOT Report

01.27.21

Sudo Vulnerability

read more

Vulnerability SPOT Report

11.04.20

Oracle WebLogic Vulnerability

read more

let’s talk.

let’s talk.

deepwatch delivers results-driven managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services.

deepwatch Footer Certification Icons
TRUSTe
  • Linkedin
  • Twitter
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Partners
    • Reseller Partners
    • Technology Partners
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Contact
    • Let's Talk
    • Customers Login
    • Partner Login
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insights Blog
  • Partners
    • Reseller Partners
    • Technology Partners
Top

© Copyright 2021 deepwatch incorporated

Sitemap | Privacy Policy

Top
Scroll to top