What is the threat
As reported by security researcher Johnathan Leitschuh via his Medium account, current Zoom Conferencing client software versions on Macintosh systems have a known vulnerability that allows a malicious actor to force-join a user to a new online conference and enable (turn on) the user’s video camera without their permission or consent. There is no current fix for this vulnerability, but workarounds do exist. Additionally, there is a secondary vulnerability that could be misused by malicious actors if the conditions are right and if the vulnerability is not addressed by the vendor (Zoom).
Why is it noteworthy?
Zoom is a highly popular web conferencing software as a service platform that allows employees to create, host, and join online audio, video, and content sharing sessions. Zoom is widely used, and may be in use by employees even if the organization does not, itself, subscribe to the Zoom service due to employees joining Zoom conferences at the invitation of vendors, suppliers, web content providers, etc. This provides a massive number of potential targets for this attack across all verticals, company sizes, and job roles/responsibilities.
What is the risk?
The primary risk from this vulnerability is that a user could be tricked into joining a Zoom conference without direct interaction or consent. A properly crafted website link could initiate a Zoom conference and force-join the user who visits that website link without the user’s explicit knowledge or consent. Zoom permits conference hosts to enable video camera broadcast by default when a user joins a conference, meaning that a user who is force-joined to a conference can have their video camera turned on and begin broadcasting without their knowledge. It should be noted that other Zoom features, such as desktop sharing and audio broadcast, cannot be automatically started by a host and are therefore not able to be turned on by this attack. If exploited, the attacker would be able to view anything visible to the web camera of the victim until they recognize the Zoom conference has been joined and subsequently disconnect from the conference.
The secondary vulnerability exists with a web server that is installed by the Zoom desktop client software on Macintosh systems. This web server is installed locally on the computer and is used to receive updates to the Zoom Client software. While no known vulnerability exists in this web service, it can potentially act as an attack surface for future threat activity if the conditions are right.
What are the recommendations?
While no patch yet exists from Zoom, there are workarounds to minimize the impact of this threat.
SKOUT is providing the following workarounds to help our customers that use Zoom in order to harden their environments.
Workaround 1: Locally disable auto-start of video in Zoom Conferencing. This must be performed per-user within the Zoom Desktop Client. On the Preferences or Settings pages (depending on client platform and version), go to Video and enable “Turn off my video when joining a meeting” (screenshots available in the Medium article linked below).
Workaround 2: (Can be done concurrently with Workaround 1) As the vulnerability does not have the ability to automatically enable audio or desktop/application sharing, the threat is limited to an attacker being able to view anything visible to the user’s web camera. The application of a camera cover (for those who need to periodically use the web camera) or opaque tape over the camera will effectively block this threat.
Web Service recommendation: Organizations should strictly limit IP traffic on port 19421 to only URL’s associated with the Zoom services. Contact Zoom for a current list of IP addresses to whitelist and allow communication on this port, and block all other access at the firewall to prohibit anything but legitimate Zoom update communication from establishing a link to the Zoom Client.
Update 7/10: What new information is available regarding this threat?
Zoom released a patch to address the concerns over the web service continuously running on Macintosh operating systems. The updated version – 4.4.4 (53932.0709) – removes the web service entirely. SKOUT has independently tested and verified that this patch is effective and that there are no observable issues or consequences for applying the patch.
An additional patch will be released on or about July 12, 2019 to force the default behavior of video to be OFF unless explicitly turned on by the user. This means that after the July 12 patch, while a user could still be force-joined to a Zoom meeting through a crafted web page; the threat actor would not be able to interact with video, audio, or sharing services unless the user explicitly allows those features in that specific Zoom conference session.
Continuous updates are provided by the vendor via their website: https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/
Article Link and references:
[Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!](https://firstname.lastname@example.org/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
If you have any questions, please contact our Security Operations Center.