Tenable Research Advisory: Zoom Unauthorized Command Execution (CVE-2018-15715)
Tenable Researcher David Wells discovered a vulnerability in Zoom’s Desktop Conferencing Application that allows an attacker to hijack screen controls, spoof chat messages or kick and lock attendees out of meetings. Zoom has released updates for macOS, Windows and Linux.
- What you need to know: Tenable Research has discovered a vulnerability in Zoom’s Desktop Conferencing Application.
- What’s the attack vector? Unauthorized command execution via Zoom’s Event messaging pump.
- What’s the business impact? Attackers could hijack control of presenters’ desktops, spoof chat messages and kick attendees out of Zoom calls.
- What’s the solution? Zoom has released an update for the Desktop Conferencing Application.
背景
Tenable has discovered a vulnerability, CVE-2018-15715, in Zoom's Desktop Conferencing Application that allows for execution of unauthorized Zoom commands like spoofing chat messages, hijacking screen controls and kicking attendees off calls and locking them out of meetings. This vulnerability could be exploited in a few scenarios: 1) a Zoom meeting attendee could go rogue; 2) an attacker on the local access network (LAN) or 3) a remote attacker over wide area network (WAN) could theoretically use this vulnerability to hijack an ongoing Zoom meeting. We weren’t able to completely test scenario three, which is more complicated and will be discussed in detail later.
分析
This bug is due to the fact that Zoom's internal messaging pump (util.dll!ssb::events_t::loop) dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages (from util.dll!ssb::select_t::loop) to the same message handler in ssb_sdk.dll. This allows an attacker to craft and send UDP packets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers.
This attack not only can be carried out by attendees of the Zoom meeting, but any remote attacker that is able to craft a spoofed UDP packet, as they can then seamlessly slip into the existing UDP session for an ongoing Zoom meeting and trigger this bug. This impacts both one-on-one (P2P) meetings as well as group meetings streamed through Zoom servers. It’s also worth mentioning that an attacker could theoretically exploit this vulnerability over WAN if they have the ability to spoof a public IP source in a UDP packet. In this scenario, the remote attacker could exploit this vulnerability by spoofing the WAN IP and trivially brute force the source port the victim is using for the UDP session with the Zoom server while the meeting is live.
This vulnerability allows an attacker (over LAN or WAN) or rogue attendee to:
- Hijack screen controls: Bypassing screen control permissions during remote attendee screen share and sending keystrokes and mouse movements to completely control desktop.
- Spoof chat messages: Sending chat messages impersonating other users on conference.
- Kick attendees off the conference: Kicking and locking out attendees even while not meeting host.
By exploiting this vulnerability, an attacker could not only hijack the presenter’s screen and open the calculator (as shown in the video linked below), but also could download and execute malware. The practical execution of such an attack would have to overcome UDP packet loss (losing keystroke packets) and interruption of keystroke sequence by the victim.
概念验证
Wells has developed a proof of concept (PoC) for this vulnerability. In the video PoC below, you can see a rogue meeting attendee sending UDP packets to forcibly take control of the presenter’s screen and open the calculator.
Business impact
Conferencing services like Zoom are becoming ubiquitous in enterprises as teams are distributed around the world. According to Zoom’s website, over 750,000 companies use the enterprise video communication platform. Exploitation of a vulnerability like this could be extremely disruptive and poses serious reputational risk.
解决方案
Zoom patched its servers to block part of the attack vector and released version 4.1.34814.1119 to fix the vulnerability in Windows and version 4.1.34801.1116 for macOS.
Updated December 3: Zoom has released version 2.5.146186.1130 for Linux to address this vulnerability.
识别受影响的系统
We have verified this vulnerability affects the following Zoom versions:
- macOS 10.13, Zoom 4.1.33259.0925
- Windows 10, Zoom 4.1.33259.0925
- Ubuntu 14.04, Zoom 2.4.129780.0915
Tenable has released a Nessus plugin to identify vulnerable systems, which can be found here for Windows and here for macOS.
Additional information
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
相关文章
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Navigating Security Challenges Around OT in the DoD’s Manufacturing Lines
April 15, 2024How operational technology can revolutionize logistics, supply chain management, and overall efficiency.
CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
April 12, 2024A critical severity command injection vulnerability in Palo Alto Networks PAN-OS has been exploited in limited targeted attacks. While a fix is not yet available, patches are expected to be released on April 14 and mitigation steps are available.
- Vulnerability Management