While the world is collectively whining about 2020, Zoom is one of the few lucky who is triumphing the ‘social-distance’ ship. But since its global rise, Zoom has not only garnered abundant users but also tech experts and researchers. And starting March, 2020 everyone seems to stumble upon one bug here, another vulnerability there.
Zoom Security issues are rising by the day, and have majorly affected school classes, business meetings, social hangouts, etc. The first big Zoom threat came to light in April 2020, when many meetings started experiencing random uninvited attackers who would scribble or shout profanity, racial slurs, or share inappropriate images. These incidents famously came to be known as Zoombombing.
Since then, there have been multiple Zoom security issues news. Let’s quickly brush up on the highlights:
- Saved Zoom meeting recordings were publicly available online on Zoom’s cloud servers
- Fake Zoom client software enabled Information Scraping to get the details of an organization’s employees.
- Zoom phishing scam, posing as employee’s HR department
- A corrupted fake Zoom installer file emerged that attacked your system’s camera
- 500,000 Zoom Accounts leaked and sold on Dark Web
- Several Zoom zero-day exploits still open
Now coming back to the latest Zoom Vulnerabilities – On June 3, 2020, Cisco Talos reported 2 critical vulnerabilities in Zoom Application that provided code execution privileges on your machine.
Latest Zoom Vulnerability 2020 Under Spotlight
The 2 new-found Zoom Vulnerabilities are highly severe as they allow a threat actor to “execute arbitrary code on the victim's machine”. Both these flaws can be exploited for path-transversal attacks to write or install arbitrary code files on any machine running the Zoom Video conferencing tool.
The under-discussion Zoom Vulnerability CVEs have been classified as:
Apparently, these vulnerabilities allow hackers to attack Zoom group chat and individual participants, without the need of any interaction. They work as simply as sending a malicious message via chat feature in Zoom to the targeted group or individual.
CVE-2020-6109 – CVE Giphy Arbitrary File Write
CVSSv3 Score: 8.5
Zoom Vulnerability Version (tested on): 4.6.10
The first Zoom vulnerability was present in the process that manages GIF messages from Giphy, which in an ‘ideal environment’ is the only server used by Zoom for GIFs. But researchers found that there was a validation error that didn't check if the sent GIF is loading from Giphy or any other service.
This gave the threat actor a chance to send malicious GIFs from their controlled server. Now, as per Zoom’s architecture, these GIFs would then be stored onto the recipient’s system, in the application’s folder.
But the vulnerability takes full effect in the fact that Zoom doesn't sanitize filenames, thus allowing directory transversal. This essentially means that the attacker can intentionally redirect the path to store the file outside Zoom’s install folder, and into any writable directory.
Additionally, the file contents need not be a GIF or image, but can be an executable script or code, which can be exploited further for another vulnerability.
CVE-2020-6110 – CVE Chat Code Snippet RCE
CVSSv3 Score: 8.0
Zoom Vulnerability Version (tested on): 4.6.10 and 4.6.11
The second Zoom vulnerability resides in the chat functionality, that is
“built on top of XMPP standard with additional extensions to support the rich user experience. One of those extensions supports a feature of including source code snippets that have full syntax highlighting support. The feature to send code snippets requires the installation of an additional plugin but receiving them does not. This feature is implemented as an extension of file sharing support.”
The above functionality zips the code snippet before sharing, which then unzips when it is received on the victim’s end. This is where the vulnerability comes into action. Researchers explain that Zoom does not verify the contents of such zip files in it’s zip file extraction feature, thus allowing any cyber attacker to install arbitrary binaries on the victim's system.
Additionally, like the first vulnerability, this one also takes advantage of path transversal flaw, allowing malicious zip archives to write files outside the Zoom’s assigned directory on the targeted computer, finally leading to remote code execution.
Zoom Vulnerability Fix & Patch
Fortunately, the Talos team reported both issues to the Zoom organization in April 2020. Following which the Zoom development team fixed both vulnerabilities and released the patched version on June 3, 2020.
Zoom Patched Version: 4.6.12
Make sure that you’ve updated the Zoom application and are running it’s latest version on your Windows, Linux and Mac machines.