Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Zoom Conferencing App Exposes Enterprises to Attacks

A potentially serious vulnerability discovered by researchers in the Zoom video conferencing application can allow external attackers or malicious insiders to hijack screen controls, spoof chat messages, and remove attendees from a session.

A potentially serious vulnerability discovered by researchers in the Zoom video conferencing application can allow external attackers or malicious insiders to hijack screen controls, spoof chat messages, and remove attendees from a session.

Tenable researcher David Wells discovered recently that the Zoom applications for Windows and macOS are affected by a vulnerability that can be exploited by an unauthorized user to invoke functions normally reserved for Zoom servers.

The security hole, whose exploitation requires sending specially crafted UDP packets, can be used by a malicious insider who has access to the targeted meeting, by an attacker with access to the local network, or by a remote hacker over the Internet.

“This bug is due to the fact that Zoom’s internal messaging pump (util.dll!ssb::events_t::loop) dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages (from util.dll!ssb::select_t::loop) to the same message handler in ssb_sdk.dll. This allows an attacker to craft and send UDP packets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers,” Tenable explained.

The flaw can be exploited to bypass screen control permissions and hijack a meeting attendee’s desktop by sending keystrokes and mouse movements, to send chat messages impersonating other users, or remove and lock out users.

Tenable has published a video and a proof-of-concept (PoC) exploit that show how an attacker can take control of the meeting presenter’s screen and open the calculator on their device.

Advertisement. Scroll to continue reading.

The security firm noted that exploitation requires knowledge of an attendee’s IP address, the IP of the Zoom server, and the attendee’s ID. This last piece of information can be easily brute-forced, the company said.

In order to exploit this vulnerability from the Internet, an attacker would have to be able to spoof a public IP in a UDP packet. However, Tenable has admitted that this is a theoretical attack scenario that it has not tested.

“In this scenario, the remote attacker could exploit this vulnerability by spoofing the WAN IP and trivially brute force the source port the victim is using for the UDP session with the Zoom server while the meeting is live,” the company explained.

Tenable informed Zoom of the vulnerability on October 11 and it was patched on November 19 with the release of version 4.1.34814.1119 for Windows and version 4.1.34801.1116 for macOS. However, the vendor’s release notes only list “minor bug fixes” and don’t mention any security flaws.

Tenable noted that such a vulnerability can pose a serious risk to organizations. In this case, Zoom claims its video communications platform is used by more than 750,000 companies.

Related: Critical Vulnerability Patched in Cisco Conferencing Product

Related: Cisco Releases Second Patch for Webex Meetings Vulnerability

Related: Critical Vulnerability Impacts Hundreds of Thousands of IoT Cameras

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.