A potentially serious vulnerability discovered by researchers in the Zoom video conferencing application can allow external attackers or malicious insiders to hijack screen controls, spoof chat messages, and remove attendees from a session.
Tenable researcher David Wells discovered recently that the Zoom applications for Windows and macOS are affected by a vulnerability that can be exploited by an unauthorized user to invoke functions normally reserved for Zoom servers.
The security hole, whose exploitation requires sending specially crafted UDP packets, can be used by a malicious insider who has access to the targeted meeting, by an attacker with access to the local network, or by a remote hacker over the Internet.
“This bug is due to the fact that Zoom’s internal messaging pump (util.dll!ssb::events_t::loop) dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages (from util.dll!ssb::select_t::loop) to the same message handler in ssb_sdk.dll. This allows an attacker to craft and send UDP packets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers,” Tenable explained.
The flaw can be exploited to bypass screen control permissions and hijack a meeting attendee’s desktop by sending keystrokes and mouse movements, to send chat messages impersonating other users, or remove and lock out users.
The security firm noted that exploitation requires knowledge of an attendee’s IP address, the IP of the Zoom server, and the attendee’s ID. This last piece of information can be easily brute-forced, the company said.
In order to exploit this vulnerability from the Internet, an attacker would have to be able to spoof a public IP in a UDP packet. However, Tenable has admitted that this is a theoretical attack scenario that it has not tested.
“In this scenario, the remote attacker could exploit this vulnerability by spoofing the WAN IP and trivially brute force the source port the victim is using for the UDP session with the Zoom server while the meeting is live,” the company explained.
Tenable informed Zoom of the vulnerability on October 11 and it was patched on November 19 with the release of version 4.1.34814.1119 for Windows and version 4.1.34801.1116 for macOS. However, the vendor’s release notes only list “minor bug fixes” and don’t mention any security flaws.
Tenable noted that such a vulnerability can pose a serious risk to organizations. In this case, Zoom claims its video communications platform is used by more than 750,000 companies.