SPOT Report - Zoom Zero-Day

By

Recently two separate researchers discovered two Zoom zero-day vulnerabilities that impact both Windows and Apple Macs. These vulnerabilities have led security professionals to question Zoom’s security practices.

Zoom is a popular video conferencing platform that has gained a large influx of new users in recent weeks due to the proliferation of COVID-19.

The first vulnerability was released on April 1st, 2020. It was tweeted out by @_g0dmode and has since been verified by security researchers Matthew Hickey and BleepingComputer. They stated that Zoom chat allows for malicious links to be posted in an attempt to gather Net-NTLM hashes from the user on Windows systems.

On April 1st, 2020 an ex-NSA hacker now serving as a principal security researcher at Jamf disclosed two new Zoom zero-day vulnerabilities that impact Apple Macs.  These enable local attackers to use code injection to access a root user or gain access to the webcam and microphone of the system.

Zoom has since released patches and software updates to address these vulnerabilities.

Potential Impact

The Windows vulnerability utilizes UNC path injection to expose credentials through a SMBRelay attack. In order for this attack to be utilized a user must click on a malicious link, provided in the chat functionality of Zoom, that connects back to a remote site using the file-sharing protocol to open a remote link.

Additionally, the vulnerability can be utilized to open local applications without prompting the user, which is executed on files that are on the local machine rather than on the web.

One MacOS vulnerability requires local access in order for an attacker to exploit the system. With local access the attacker could leverage Zoom’s installer to modify a binary to include the “runwithroot” script during an install, due to a deprecated API by Apple, pre-installation scripts do not require user interaction to run. The other vulnerability allows an attacker to gain access to a users microphone or camera and would allow them to record meetings or gain information about users’ personal lives.

Affected Versions

  • All Zoom versions on Windows prior to 4.6.9
  • All Zoom versions on Macs prior to 4.6.9

Managing and Mitigating Risk

In order to prevent the UNC path injection it is recommended that organizations take the following approaches:

  1. Zoom has released a patch for the UNC patch injection. Users should update Zoom as soon as possible to ensure they are not vulnerable to the issue. The fixed version number is 4.6.9 (19253.0401) or newer on Windows and 4.6.9 (19273.0402) on Mac OS.
  2. Prevent NTLM credentials from being sent to remote servers by creating a Group Policy:
    1. Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
    2. Configure setting to Deny
    3. Prior to implementing in production this should be tested and verified that no issues occur within the organization. For systems that are domained-joined this could cause problems when accessing shares.
  3. For home users implement the following setting on the system
    1. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
    2. RestrictSendingNTLMTraffic”=dword:00000002

Before implementing the Group Policy, Registry key, or Patch it is highly recommended to test the impacts these may have on the end-user base that is supported.

Zoom’s Mac Vulnerabilities do not have any mitigations for them, without utilizing outside tools to provide additional notifications.

As of 4/2/2020 Zoom has released an update, 4.6.9 version 19273.0402, that should be installed on all Macs in order to resolve the vulnerability overall.

Detection

End-Point Detections

For customers who have an EDR solution and wish to look for signs of the Mac privilege escalation vulnerability being exploited, it is recommended to look for suspicious application names / shell scripts being launched by the Zoom installer parent process.

deepwatch Protect EDR customers will have their environments reviewed for any suspicious activity and we will reach out with any findings.

Vulnerability Management Detections

Neither Tenable nor Qualys have released detections, as of April 3rd, 2020, for any of the new Zoom vulnerabilities at the time the blog was published.

deepwatch VM customers will be contacted by their Vulnerability Management engineer to notify customers of any potentially vulnerable assets containing Zoom.

 

Contributors

  • Sam Harris, Principal, Vulnerability Management
  • Dave Farquhar, Vulnerability Management Program Manager
  • Kate Boucher, Vulnerability Management Program Manager

 

Supporting Information

Subscribe to the deepwatch Insider Blog