Advisory 2020-001 - Understanding the Zoom vulnerabilities

Mossé Security's CSIRT has analysed the security vulnerabilities reported in Zoom between March 31st and April 7th, 2020. We are now sharing our professional opinion regarding the risk of “Zoom Bombing” attacks and discuss the weak encryption practices employed by Zoom.

Vulnerability 1 – UNC Path Injection

Likelihood Unlikely Impact Moderate Risk LOW
Affected Product Zoom for Microsoft Windows
Technical Description

Zoom supports UNC links because it uses Microsoft’s RichEdit interface to process chat messages.

When a user clicks on a UNC link:

  • Their computer automatically sends their NTLM hash to the attacker’s server. Weak NTLM hashes are vulnerable to password guessing attacks. This may allow adversaries to compromise user accounts and gain access into an organisation’s network via the VPN or emails if two-factor authentication (2FA) is not enabled on Internet-facing systems.
  • Adversaries can coerce users into downloading and executing malware in the same way that a phishing or spear-phishing URL works.
Risk

This likelihood of this vulnerability being exploited was rated UNLIKELY because:

  • The attack requires social engineering to coerce a user into clicking on a malicious UNC link
  • Adversaries would need to be authenticated into the Zoom meeting room of their target before they could send a malicious link to a target

The impact of this vulnerability, if exploited, was rated MODERATE because anti-virus software would protect a user’s workstation from downloading and executing malware served via UNC. Furthermore, if NTLM hashes are compromised, the impact would depend on whether Internet-facing systems such as emails are protected by 2FA and the data an adversary could steal from a small number of compromised user accounts.

Thus, Mossé Security's CSIRT rated the overall risk of this vulnerability LOW.

Recommendations

The following recommendations should be considered when addressing the risk:

  • Update Zoom to the latest version which fixes this vulnerability
  • Ensure that anti-virus software is installed and up to date on employee workstations
  • Ensure that Endpoint Detection and Response (EDR) software is installed on employee workstations to enable SOC and CSIRT teams to detect and respond to cyber-attacks against endpoints
  • Ensure that two-factor authentication (2FA) is enforced on all Internet-facing interfaces

It's possible to disable NTLM authentication with Group Policy by setting 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' to 'Deny All'. It's unclear what the consequences of this would be. We do not recommend going ahead with this unless thorough testing is first performed.

Notes

Zoom is not the only application to support UNC links. Browsers, email clients, Microsoft Office, and many other types of software support UNC links and could also be used to perform the attack described in this advisory.

References

Vulnerability 2 – Local Privilege Escalation

Likelihood Unlikely Impact Moderate Risk LOW
Affected Product Zoom for Mac, OSX
Technical Description

Zoom’s installer insecurely uses the “AuthorizationExecuteWithPrivileges” API. Adversaries can hijack the installer’s execution to elevate their privilege to “root” on an OSX workstation.

Risk

The likelihood of this finding was rated UNLIKELY because adversaries would first need to obtain initial access onto their victim’s computer before exploiting the vulnerability.

The impact of this vulnerability was rated MODERATE because adversaries could only escalate privileges on a single (1) compromised machine at a time. This vulnerability cannot be used to compromise corporate networks.

We also note that escalating privileges on OSX is not always needed for adversaries to accomplish their mission. That’s because users have full read access to their home directories and thus, remotely compromising an account often allows adversaries to obtain unauthorised access to the entire user data available on the computer.

Thus, we rate this finding LOW risk.

In cases where system administrators are using personal OSX workstations to manage critical network infrastructure, this finding should be considered HIGH risk.

Recommendations

The following recommendations should be considered when addressing the risk:

  • Update Zoom to the latest version which fixes this vulnerability
  • Provide employees that manage critical IT systems with secure workstations that are appropriate hardened (that includes ensuring that user applications such as Zoom are not installed)
  • Ensure that Endpoint Detection and Response (EDR) software is installed on employee workstations to enable SOC and CSIRT teams to detect and respond to cyber-attacks against OSX endpoints
Notes

The attack surface of the OSX operating system is significant. Once an adversary has obtained remote access to a workstation then it’s highly likely that they would escalate privileges to “root”.

This vulnerability in Zoom may be one way for them to achieve this but there exist many other attack techniques that would also accomplish this.

References

Vulnerability 3 – Microphone and Webcam Hijacking

Likelihood - Impact - Risk INFORMATIONAL
Affected Product Zoom for Mac, OSX
Technical Description

An adversary that has obtained unauthorised access to a workstation with Zoom installed could subvert the program to record the microphone and webcam.

Risk

The OSX operating system offers multiple facilities for software to access the microphone and webcam.

For example, the Metasploit Framework offers microphone and webcam recording capabilities for penetration testers to demonstrate such attack against OSX machines.

We rate the risk of this vulnerability INFORMATIONAL because workstations with microphone and webcam capabilities cannot defend against this post-exploitation attack.

Recommendations

Personnel whose identities must remain confidential should use hardened workstations and mobile devices to communicate. This would include physically disabling the microphone and webcam on their laptops.

Notes

This vulnerability should not be confused with another bug reported in Zoom in 2019, which allowed adversaries to force a user into joining a Zoom call: https://www.rapid7.com/db/vulnerabilities/zoom-cve-2019-13450

References

Zoom Bombing Attacks

Zoom meeting room identifiers can be guessed and when a meeting is not protected with a password then adversaries can join it anonymously. Adversaries are using this vulnerability to disrupt Zoom meetings with inappropriate materials. Some automated tools are available online to automatically identify vulnerability meeting room and the attack is unsophisticated.

Institutions doing Zoom meetings with children are the most exposed to this attack. It’s unclear whether the Zoom software enables child centres and schools to comply with child safety regulations across all jurisdictions.

Furthermore, we note that Zoom does not offer enterprise-level features such as:

Weak Encryption Practices

Citizen Lab discovered that Zoom does not deliver the encryption and privacy features it claims on its website. Furthermore, they raise the fact that Zoom is heavily invested in China, which may pose a threat to some countries. We will not speculate as to whether Zoom could have backdoor in its software.

Our perspective is that Zoom is not a secure communication application and it never claimed to offer such capabilities. We’ve never heard of an intelligence, defence or military agency recommending Zoom to the organisations and people they protect. High-assurance communication technologies for individuals at high-risk of cyber-attacks exist and are made available by the appropriate agencies to whom needs them.

Furthermore, we note that exploiting these encryption weaknesses first require the adversaries to obtain a recording of the network traffic between their victims. Historically, this capability has only been available to intelligence agencies capabilities of hijacking portions of the Internet’s network traffic.

We do not doubt that talented security researchers would be capable of demonstrating a proof-of-concept attack in a lab environment, but that’s completely different from targeting a person in Australia, having a Zoom meeting with someone in the UK, whilst the attacker is located in China.

Once again, we wish to remind government officials and defence personnel reading our advisory that Zoom is not suited for secure communications and that they should use the secure software provided to them instead.

Final Words

Most individuals should not be worried about the vulnerabilities reported in Zoom in the past 10 days. It’s undoubtable that Zoom would be affected by critical remote code execution vulnerabilities but those have either not yet been discovered or not been made public.

Nonetheless, the reader should always employ the following security tactics to protect themselves online:

If you have any questions, contact the team at Mossé Security! We want to hear from you!

Published: 07/04/2020