A serious vulnerability in Zoom’s desktop conferencing application could allow a remote attacker to hijack screen controls and kick attendees out of meetings.
Researchers at Tenable who on Thursday released a proof of concept exploit for the unauthorized command execution flaw said that bug exists in Zoom’s event messaging pump. The vulnerability, CVE-2018-15715, is “critical” in severity and has a CVSS 3.0 score of 9.9.
“This vulnerability could be exploited in a few scenarios: 1) a Zoom meeting attendee could go rogue; 2) an attacker on the local access network (LAN) or 3) a remote attacker over wide area network (WAN) could theoretically use this vulnerability to hijack an ongoing Zoom meeting,” Tenable researcher David Wells wrote in an analysis. “An attacker could leverage this vulnerability to perform restricted meeting operations.”
The flaw stems from a flaw in Zoom’s internal messaging pump, a mechanism Zoom uses to wait for and send messages in the program. The pump dispatches both client User Datagram Protocol and server Transmission Control Protocol messages to the same message handler.
That means a potentially unauthenticated, remote attacker could craft and send a User Datagram Protocol (UDP) message, and it would be interpreted as a trusted Transmission Control Protocol message used by authorized Zoom servers.
“This attack not only can be carried out by attendees of the Zoom meeting, but any remote attacker that is able to craft a spoofed UDP packet, as they can then seamlessly slip into the existing UDP session for an ongoing Zoom meeting and trigger this bug,” said Wells.
From there, an attacker could launch an array of malicious functions. That includes hijacking screen controls when a remote attendee shares a screen, in order to completely control the desktop; spoofing chat messages impersonating other users on the conference; or kicking and locking out attendees from the conference.
In a proof of concept video, for instance, researchers showed how a rogue meeting attendee was able to sending UDP packets to forcibly take control of the presenter’s screen and open their calculator.
For one of the 750,000 businesses that use Zoom, the reputational impact of having something like this happen is not insignificant, Wells noted: “Exploitation of a vulnerability like this could be extremely disruptive and poses serious reputational risk.”
Tricky bugs in conferencing systems are particularly detrimental to the enterprise. Cisco and Adobe have also had their fair share of video conferencing system woes – last week, the company patched a critical vulnerability in the recording function of its WebEx conferencing platform that could allow remote code execution; while earlier this year, Adobe worked to patch flaws in its conferencing software tool Adobe Connect.
“The widespread and frequent use of conferencing systems in today’s enterprises exposes a wide and constant attack surface for any bad actor wishing to exploit the opportunity,” Wells told Threatpost in an interview. “Today’s conferencing systems consist of not only audio/video, but also more sensitive components (such as remote desktop) that result in more serious problems when compromised with a logic flaw like this.”
Impacted systems include Zoom 4.1.33259.0925 for macOS and Windows 10, as well as Zoom 2.4.129780.0915 for Ubuntu. This impacts both one-on-one (P2P) meetings as well as group meetings streamed through Zoom servers, said Tenable.
Zoom has patched its servers to block part of the attack vector. The company released fixed versions for Windows and macOS (4.1.34814.1119 to fix the vulnerability in Windows and version 4.1.34801.1116 for macOS); The latest update for the Linux client doesn’t fix the issue and Zoom is reportedly working on an update.