Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
12.02.18

Zoom Desktop Conferencing CVE-2018-15715

By Jen O'Neil, 

Today, a vulnerability in Zoom was disclosed which can be exploited by a local or remote attacker to hijack screen controls and perform other malicious actions. POC code was also released. At the time of this writing there is no patch.

Overview

On November 29, 2018 Tenable researcher David Wells disclosed a vulnerability in Zoom’s desktop conferencing which would allow an attacker to hijack the screen controls, spoof chat messages, and kick attendees out of meetings. The vulnerability, CVE-2018-15715, is listed as “critical” in severity and has a CVSS 3.0 score of 9.9.

Technical Overview

This vulnerability can be exploited by an attacker either remotely or local to the Zoom meeting by sending a specifically crafted User Datagram Protocol (UDP) message which is then processed as if it came from a trusted Transmission Control Protocol (TCP) channel used by authorized servers. Once the attacker is able to trick the server, with the crafted UDP message, the attacker can gain access to the Zoom meeting and take control of screen sharing, spoof chat messages, or kick attendees from the conference.

Zoom servers currently allow unencrypted UDP messages, even if encrypted sessions are enabled, which gives an attacker the ability to exploit this vulnerability without authentication or the need for the encryption key.

In order for an attacker to exploit the vulnerability successfully, the attacker must be aware of an attendee’s IP address or a Zoom server IP address and have the attendee’s meeting ID to fully execute the attack.

Wells released a proof of concept onto GitHub,

Potential Impact

At the current time, if a user is utilizing macOS version 4.1.33259.0925, Windows, Ubuntu version 2.4.129780.0915; an attacker can gain the ability to hijack screen controls, spoof chat messages, or kick attendees off the meeting. There is no research validating that other versions are susceptible to this type of attack, however, it should be assumed that other versions are vulnerable.

In some cases, if users are not attentive, an attacker could utilize the screen control hijacking to install malware on the system to gain further access to the network.

What You Should Do

Zoom has patched their servers to block part of the attack vector. In addition to patching their servers, Zoom has released updates for Windows (version 4.1.34814.1119), macOS (version 4.1.34801.1116), and Linux (version 2.5.146186.1130).

Deepwatch recommends that all users update their Zoom desktop client to the latest version as soon as possible to stop the possibility of an attack via this vulnerability.

Deepwatch will provide additional information to protect its customers and others if and when it becomes available.

Supporting Information

  • https://www.tenable.com/blog/tenable-research-advisory-zoom-unauthorized-command-execution-cve-2018-15715
  • https://threatpost.com/critical-zoom-flaw-lets-hackers-hijack-conference-meetings/139489/
  • https://github.com/tenable/poc/tree/master/Zoom
  • https://twitter.com/CE2Wells/status/1068156019291746304
  • https://support.zoom.us/hc/en-us/sections/201214205-Release-Notes

Subscribe to the Deepwatch Insights Blog

Post navigation

Next post

IE – Scripting Engine Memory Corruption Vulnerability CVE-2018-8653

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy