Tenable Research Advisory: Zoom Unauthorized Command Execution (CVE-2018-15715)
Tenable Researcher David Wells discovered a vulnerability in Zoom’s Desktop Conferencing Application that allows an attacker to hijack screen controls, spoof chat messages or kick and lock attendees out of meetings. Zoom has released updates for macOS, Windows and Linux.
- What you need to know: Tenable Research has discovered a vulnerability in Zoom’s Desktop Conferencing Application.
- What’s the attack vector? Unauthorized command execution via Zoom’s Event messaging pump.
- What’s the business impact? Attackers could hijack control of presenters’ desktops, spoof chat messages and kick attendees out of Zoom calls.
- What’s the solution? Zoom has released an update for the Desktop Conferencing Application.
Antecedentes
Tenable has discovered a vulnerability, CVE-2018-15715, in Zoom's Desktop Conferencing Application that allows for execution of unauthorized Zoom commands like spoofing chat messages, hijacking screen controls and kicking attendees off calls and locking them out of meetings. This vulnerability could be exploited in a few scenarios: 1) a Zoom meeting attendee could go rogue; 2) an attacker on the local access network (LAN) or 3) a remote attacker over wide area network (WAN) could theoretically use this vulnerability to hijack an ongoing Zoom meeting. We weren’t able to completely test scenario three, which is more complicated and will be discussed in detail later.
Análisis
This bug is due to the fact that Zoom's internal messaging pump (util.dll!ssb::events_t::loop) dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages (from util.dll!ssb::select_t::loop) to the same message handler in ssb_sdk.dll. This allows an attacker to craft and send UDP packets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers.
This attack not only can be carried out by attendees of the Zoom meeting, but any remote attacker that is able to craft a spoofed UDP packet, as they can then seamlessly slip into the existing UDP session for an ongoing Zoom meeting and trigger this bug. This impacts both one-on-one (P2P) meetings as well as group meetings streamed through Zoom servers. It’s also worth mentioning that an attacker could theoretically exploit this vulnerability over WAN if they have the ability to spoof a public IP source in a UDP packet. In this scenario, the remote attacker could exploit this vulnerability by spoofing the WAN IP and trivially brute force the source port the victim is using for the UDP session with the Zoom server while the meeting is live.
This vulnerability allows an attacker (over LAN or WAN) or rogue attendee to:
- Hijack screen controls: Bypassing screen control permissions during remote attendee screen share and sending keystrokes and mouse movements to completely control desktop.
- Spoof chat messages: Sending chat messages impersonating other users on conference.
- Kick attendees off the conference: Kicking and locking out attendees even while not meeting host.
By exploiting this vulnerability, an attacker could not only hijack the presenter’s screen and open the calculator (as shown in the video linked below), but also could download and execute malware. The practical execution of such an attack would have to overcome UDP packet loss (losing keystroke packets) and interruption of keystroke sequence by the victim.
Prueba de concepto
Wells has developed a proof of concept (PoC) for this vulnerability. In the video PoC below, you can see a rogue meeting attendee sending UDP packets to forcibly take control of the presenter’s screen and open the calculator.
Business impact
Conferencing services like Zoom are becoming ubiquitous in enterprises as teams are distributed around the world. According to Zoom’s website, over 750,000 companies use the enterprise video communication platform. Exploitation of a vulnerability like this could be extremely disruptive and poses serious reputational risk.
Solución
Zoom patched its servers to block part of the attack vector and released version 4.1.34814.1119 to fix the vulnerability in Windows and version 4.1.34801.1116 for macOS.
Updated December 3: Zoom has released version 2.5.146186.1130 for Linux to address this vulnerability.
Identificación de los sistemas afectados
We have verified this vulnerability affects the following Zoom versions:
- macOS 10.13, Zoom 4.1.33259.0925
- Windows 10, Zoom 4.1.33259.0925
- Ubuntu 14.04, Zoom 2.4.129780.0915
Tenable has released a Nessus plugin to identify vulnerable systems, which can be found here for Windows and here for macOS.
Additional information
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Artículos relacionados
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
Cybersecurity Snapshot: Attackers Pounce on Unpatched Vulns, DBIR Says, as Critical Infrastructure Orgs Benefit from CISA’s Alert Program
May 3, 2024Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
Shifting the Paradigm: Why the Cyber Insurance Industry Should Focus on Preventive Security
May 13, 2024As claims and losses climb, it’s clear that preventive security should be prioritized more when designing a cyber insurance policy. Here’s why preventive security investments are cost effective and can lead to lower premiums.
Cybersecurity Snapshot: New Guide Explains How To Assess if Software Is Secure by Design, While NIST Publishes GenAI Risk Framework
May 10, 2024Is the software your company wants to buy securely designed? A new guide outlines how you can find out. Meanwhile, a new NIST framework can help you assess your GenAI systems’ risks. Plus, a survey shows a big disconnect between AI usage (high) and AI governance (low). And MITRE’s breach post-mortem brims with insights and actionable tips. And much more!
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
- Vulnerability Management