Cybersecurity Threat Advisory 0024-20: Zoom Vulnerabilities and Zoom Bombing
After a recent spike in usage due to global social distancing guidelines, multiple vulnerabilities have been discovered in Zoom. In addition, the ever growing userbase is seeing a rise in the number of “Zoom Bombing” attacks. These threats could allow a hacker to gain root privilege, record meetings, steal credentials, and/or expose meetings to unwanted users. SKOUT advises updating Zoom to the latest version and to follow Zoom’s updated best practices to keep unwanted guests out of meetings.
Technical detail and additional information
What is the threat?
A number of vulnerabilities have been discovered in the popular web conferencing application “Zoom” for both macOS and Windows.
The Zoom macOS application has two vulnerabilities. The first being that the application is vulnerable to allowing unprivileged actors to gain root privileges through the Zoom installer’s “AuthorizationExecuteWithPrivileges” without any user interaction. The second is that attackers can be granted microphone and camera access without user authorization by loading a third-party library.
The Zoom Windows application contains a UNC path injection vulnerability due to the application incorrectly converting UNC paths into clickable hyperlinks when they are typed into the chat service. By specially crafting a UNC path and entering it into the Zoom application’s chat function, a malicious actor could attempt to steal user credentials, launch programs on user devices, and more.
These vulnerabilities are accompanied by a rise in activity dubbed “Zoom Bombing”, in which an unwanted user could join a Zoom meeting uninvited and cause a disruption.
Why is this noteworthy?
These vulnerabilities exist in version 4.6.8 (and below) of Zoom, which has dramatically increased in popularity in recent weeks due to numerous new users working and learning from home on both macOS and Windows devices. They affect a rapidly expanding user base, and in order to maintain a secure home environment they required immediate remediation by Zoom. The application is under heavy scrutiny due to its sudden ubiquity in many professional environments, and only now are many of its vulnerabilities being exposed by security professionals. In addition to actual vulnerabilities in the application itself, there are many common misconfigurations for Zoom meetings that are being exploited to cause disruptions by unwanted users.
What is the exposure or risk?
The different vulnerabilities have a number of distinct risks:
- The Zoom Installer’s “AuthorizationExecuteWithPrivileges” vulnerability runs the Zoom Installer with root privileges. An attacker could tamper with the binary that is executed to allow root privilege escalation for their desired purpose. A malicious actor having root privileges on your PC could result in any number of malicious actions.
- The microphone and camera recording vulnerability allows malicious code to be added into Zoom’s process. By doing this a malicious actor could use Zoom’s microphone and camera access to record Zoom meetings, or even access the user’s microphone and camera at any time without a user prompt.
- The Zoom chat feature’s UNC path injection vulnerability allows a malicious actor to enter a specially crafted URL into the chat window (such as \\x.x.x.x\file_name). If a user were to click on this hyperlink, their Windows login username and NTLM hashed password can be stolen. The password could then be cracked and used to compromise the account, leading to further attacks.
- As for Zoom Bombing, while not strictly a vulnerability, if a zoom meeting is not configured with proper security settings in place it could expose the meeting to unwanted users. A malicious actor could discover your meeting by using an application such as “zWarDial” and could then join and cause any number of disruptions. This could include potential exploitation of the aforementioned UNC path injection vulnerability.
Note that the identified macOS vulnerabilities require pre-existing access to the user’s computer. This means the machine would either need to be physically in possession of the attacker or have been compromised by a previous malware infection.
What are the recommendations?
Zoom has released a patch that fixed the two macOS vulnerabilities and the Windows vulnerability which can be found at the following links:
Concerning the Zoom Bombing issue, Zoom has released a blog post comprehensively detailing the steps you can take to secure your Zoom meeting against unwanted attendees. That blog post can be found below:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.