Critical Zoom vulnerability allows series of malicious actions

An attacker could spoof messages, hijack screen controls, or expel other conference attendants

A considered critical vulnerability in the Zoom videoconferencing application could allow a remote attacker to hijack screen controls and expel conference attendants, as reported by digital forensics specialists from the International Institute of Cyber Security.

Researchers from a cybersecurity firm published a proof of concept for this unauthorized command execution vulnerability, mentioning that the error persists in the Zoom messaging function; the vulnerability, tracked as CVE-2018-15715, has been considered of “critical” gravity, and has a CVSS score of 3.0/9.9.

“This vulnerability could be exploited if certain scenarios are presented such as:

  • A malicious Zoom meeting participant
  • An attacker on the local access network (LAN)
  • A remote attacker on a wide area network (WAN) could theoretically use this vulnerability to hijack a Zoom meeting in progress

Attackers could use this vulnerability to perform otherwise restricted operations at Zoom conferences,” said David Wells, a digital forensics specialist. The vulnerability comes from an internal Zoom messaging pump flaw, a mechanism that this application uses to send and wait for messages.

This means that a potential attacker, remotely and without authentication, could create and send a User Datagram Protocol (UDP) message, and would be interpreted as a reliable transmission Control protocol message used by the authorized Zoom servers.

“This attack is especially dangerous because it can be done by both the participants of a Zoom conference and a remote attacker capable of creating a counterfeit UDP package, because they can infiltrate without problems in an existing UDP session, find a Zoom conference underway and trigger the attack,” the digital forensics expert mentioned.

From that point, the malicious actor could perform various harmful operations, such as hijacking screen controllers, identity spoofing to send or receive messages addressed to other conference participants, or even expelling other participants from the conference.

For example, in the proof of concept published by Wells, it was shown how a malicious participant could send UDP packets to take control of a display of the presenter to start his calculator.

“Exploiting such vulnerability can be extremely damaging and poses a serious risk to a company’s reputation,” says Wells. “Even if a single of the more than 700,000 companies working with Zoom Software were presented, the impact would be significant”.

This kind of vulnerability is particularly detrimental to a company, as said by specialists in digital forensics. Companies like Cisco and Adobe have also experienced problems with this kind of computer errors in their videoconferencing systems. Just a few days ago, Cisco was correcting a series of flaws in its WebEx conferencing system that allowed remote code execution. For its part, Adobe recently launched an update patch that would correct a series of failures on its Adobe Connect platform.