Cyber-security firm Tenable disclosed on Nov. 29 that it found a high-impact vulnerability in the Zoom web video conferencing platform that could have potentially enabled an attacker to hijack controls.
Zoom has become increasingly popular in recent years, with up to 750,000 global users. The vulnerability could have potentially allowed an attacker to impersonate meeting attendees, bypass screen control messages and control a victim’s desktop. Adding further insult to injury, the flaw could have enabled an attacker to kick attendees out of meetings.
Tenable reported the issue, identified as CVE-2018-15715, in Zoom’s Desktop Conferencing app on Oct. 11, with Zoom fixing the issue in its new 4.1.34814.1119 update, which became publicly available on Nov. 20.
In a video demonstration of the flaws, Tenable demonstrates how the vulnerability could be used to remotely bypass screen control permissions and send remote keystrokes to a system that is sharing the same screen.
How the Flaw Works
CVE-2018-15715 is an unauthorized command execution issue in Zoom, according to Tenable. At its core, the flaw enables attackers to send spoofed UDP data packets that are interpreted by Zoom servers to be trusted.
“The flaw itself is common enough that it has its own CWE [Common Weakness Enumeration] category with CWE-290,” David Wells, senior research engineer at Tenable, told eWEEK. “[However], it is fairly rare since the vulnerability is a fundamental design flaw.”
In the Zoom scenario, Wells said he would have expected each message to be cryptographically signed by the sender. In terms of how Tenable discovered the Zoom issue, Wells said Tenable’s Zero Day Research team is an elite group of seasoned security researchers who search for vulnerabilities in a diverse set of products.
“With 750,000 companies using Zoom, it’s hard to avoid. Vulnerabilities in a product like this represent a far-reaching issue,” Wells said. “The Zero Day Research team decided to research Zoom’s software to enhance users’ security footing around the world.”
The research team used a variety of tools and techniques to discover the Zoom flaw, Wells said. He added that Tenable researchers used mostly static/dynamic reverse engineering with IDA Pro to understand Zoom’s packet processing internals. For network analysis, the researchers used capture tools such as Wireshark.
Protection
Well said Zoom responded in a reasonable time, releasing patches before Tenable’s 90-day time limit. That said, ideally, the fix for a vulnerability like this would be part of an automatic update, he said.
“Zoom marked this update as ’manual,’ so many users will have to update the application themselves,” he said.
Wells said Zoom patched against this vulnerability on the server side and appears to now filter out the UDP attack attempts for meetings streamed through Zoom servers. Whether a meeting is being conducted through Zoom servers (protected against attacks) or peer-to-peer (which would still be vulnerable when using unpatched versions of Zoom) is based on more complex factors not in the user’s control.
“The best recommendation is to patch as soon as possible,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.