Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Zoom Conferencing App Exposes Enterprises to Attacks

A potentially serious vulnerability discovered by researchers in the Zoom video conferencing application can allow external attackers or malicious insiders to hijack screen controls, spoof chat messages, and remove attendees from a session.

A potentially serious vulnerability discovered by researchers in the Zoom video conferencing application can allow external attackers or malicious insiders to hijack screen controls, spoof chat messages, and remove attendees from a session.

Tenable researcher David Wells discovered recently that the Zoom applications for Windows and macOS are affected by a vulnerability that can be exploited by an unauthorized user to invoke functions normally reserved for Zoom servers.

The security hole, whose exploitation requires sending specially crafted UDP packets, can be used by a malicious insider who has access to the targeted meeting, by an attacker with access to the local network, or by a remote hacker over the Internet.

“This bug is due to the fact that Zoom’s internal messaging pump (util.dll!ssb::events_t::loop) dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages (from util.dll!ssb::select_t::loop) to the same message handler in ssb_sdk.dll. This allows an attacker to craft and send UDP packets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers,” Tenable explained.

The flaw can be exploited to bypass screen control permissions and hijack a meeting attendee’s desktop by sending keystrokes and mouse movements, to send chat messages impersonating other users, or remove and lock out users.

Tenable has published a video and a proof-of-concept (PoC) exploit that show how an attacker can take control of the meeting presenter’s screen and open the calculator on their device.

The security firm noted that exploitation requires knowledge of an attendee’s IP address, the IP of the Zoom server, and the attendee’s ID. This last piece of information can be easily brute-forced, the company said.

In order to exploit this vulnerability from the Internet, an attacker would have to be able to spoof a public IP in a UDP packet. However, Tenable has admitted that this is a theoretical attack scenario that it has not tested.

Advertisement. Scroll to continue reading.

“In this scenario, the remote attacker could exploit this vulnerability by spoofing the WAN IP and trivially brute force the source port the victim is using for the UDP session with the Zoom server while the meeting is live,” the company explained.

Tenable informed Zoom of the vulnerability on October 11 and it was patched on November 19 with the release of version 4.1.34814.1119 for Windows and version 4.1.34801.1116 for macOS. However, the vendor’s release notes only list “minor bug fixes” and don’t mention any security flaws.

Tenable noted that such a vulnerability can pose a serious risk to organizations. In this case, Zoom claims its video communications platform is used by more than 750,000 companies.

Related: Critical Vulnerability Patched in Cisco Conferencing Product

Related: Cisco Releases Second Patch for Webex Meetings Vulnerability

Related: Critical Vulnerability Impacts Hundreds of Thousands of IoT Cameras

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.