Today, a vulnerability in Zoom was disclosed which can be exploited by a local or remote attacker to hijack screen controls and perform other malicious actions. POC code was also released. At the time of this writing there is no patch.
Overview
On November 29, 2018 Tenable researcher David Wells disclosed a vulnerability in Zoom’s desktop conferencing which would allow an attacker to hijack the screen controls, spoof chat messages, and kick attendees out of meetings. The vulnerability, CVE-2018-15715, is listed as “critical” in severity and has a CVSS 3.0 score of 9.9.
Technical Overview
This vulnerability can be exploited by an attacker either remotely or local to the Zoom meeting by sending a specifically crafted User Datagram Protocol (UDP) message which is then processed as if it came from a trusted Transmission Control Protocol (TCP) channel used by authorized servers. Once the attacker is able to trick the server, with the crafted UDP message, the attacker can gain access to the Zoom meeting and take control of screen sharing, spoof chat messages, or kick attendees from the conference.
Zoom servers currently allow unencrypted UDP messages, even if encrypted sessions are enabled, which gives an attacker the ability to exploit this vulnerability without authentication or the need for the encryption key.
In order for an attacker to exploit the vulnerability successfully, the attacker must be aware of an attendee’s IP address or a Zoom server IP address and have the attendee’s meeting ID to fully execute the attack.
Wells released a proof of concept onto GitHub,
Potential Impact
At the current time, if a user is utilizing macOS version 4.1.33259.0925, Windows, Ubuntu version 2.4.129780.0915; an attacker can gain the ability to hijack screen controls, spoof chat messages, or kick attendees off the meeting. There is no research validating that other versions are susceptible to this type of attack, however, it should be assumed that other versions are vulnerable.
In some cases, if users are not attentive, an attacker could utilize the screen control hijacking to install malware on the system to gain further access to the network.
What You Should Do
Zoom has patched their servers to block part of the attack vector. In addition to patching their servers, Zoom has released updates for Windows (version 4.1.34814.1119), macOS (version 4.1.34801.1116), and Linux (version 2.5.146186.1130).
Deepwatch recommends that all users update their Zoom desktop client to the latest version as soon as possible to stop the possibility of an attack via this vulnerability.
Deepwatch will provide additional information to protect its customers and others if and when it becomes available.
Supporting Information
- https://www.tenable.com/blog/tenable-research-advisory-zoom-unauthorized-command-execution-cve-2018-15715
- https://threatpost.com/critical-zoom-flaw-lets-hackers-hijack-conference-meetings/139489/
- https://github.com/tenable/poc/tree/master/Zoom
- https://twitter.com/CE2Wells/status/1068156019291746304
- https://support.zoom.us/hc/en-us/sections/201214205-Release-Notes