Advisory 2020-001 - Understanding the Zoom vulnerabilities

Zoom supports UNC links because it uses Microsoft’s RichEdit interface to process chat messages.

When a user clicks on a UNC link:

• Their computer automatically sends their NTLM hash to the attacker’s server. Weak NTLM hashes are vulnerable to password guessing attacks. This may allow adversaries to compromise user accounts and gain access into an organisation’s network via the VPN or emails if two-factor authentication (2FA) is not enabled on Internet-facing systems.
• Adversaries can coerce users into downloading and executing malware in the same way that a phishing or spear-phishing URL works.

This likelihood of this vulnerability being exploited was rated UNLIKELY because:

• The attack requires social engineering to coerce a user into clicking on a malicious UNC link
• Adversaries would need to be authenticated into the Zoom meeting room of their target before they could send a malicious link to a target

The impact of this vulnerability, if exploited, was rated MODERATE because anti-virus software would protect a user’s workstation from downloading and executing malware served via UNC. Furthermore, if NTLM hashes are compromised, the impact would depend on whether Internet-facing systems such as emails are protected by 2FA and the data an adversary could steal from a small number of compromised user accounts.

Thus, Mossé Security's CSIRT rated the overall risk of this vulnerability LOW.

The following recommendations should be considered when addressing the risk:

• Update Zoom to the latest version which fixes this vulnerability
• Ensure that anti-virus software is installed and up to date on employee workstations
• Ensure that Endpoint Detection and Response (EDR) software is installed on employee workstations to enable SOC and CSIRT teams to detect and respond to cyber-attacks against endpoints
• Ensure that two-factor authentication (2FA) is enforced on all Internet-facing interfaces

It's possible to disable NTLM authentication with Group Policy by setting 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' to 'Deny All'. It's unclear what the consequences of this would be. We do not recommend going ahead with this unless thorough testing is first performed.

Zoom is not the only application to support UNC links. Browsers, email clients, Microsoft Office, and many other types of software support UNC links and could also be used to perform the attack described in this advisory.

• https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/
• https://twitter.com/BillDemirkapi/status/1245271580852322304

Zoom’s installer insecurely uses the “AuthorizationExecuteWithPrivileges” API. Adversaries can hijack the installer’s execution to elevate their privilege to “root” on an OSX workstation.

The likelihood of this finding was rated UNLIKELY because adversaries would first need to obtain initial access onto their victim’s computer before exploiting the vulnerability.

The impact of this vulnerability was rated MODERATE because adversaries could only escalate privileges on a single (1) compromised machine at a time. This vulnerability cannot be used to compromise corporate networks.

We also note that escalating privileges on OSX is not always needed for adversaries to accomplish their mission. That’s because users have full read access to their home directories and thus, remotely compromising an account often allows adversaries to obtain unauthorised access to the entire user data available on the computer.

Thus, we rate this finding LOW risk.

In cases where system administrators are using personal OSX workstations to manage critical network infrastructure, this finding should be considered HIGH risk.

The following recommendations should be considered when addressing the risk:

• Update Zoom to the latest version which fixes this vulnerability
• Provide employees that manage critical IT systems with secure workstations that are appropriate hardened (that includes ensuring that user applications such as Zoom are not installed)
• Ensure that Endpoint Detection and Response (EDR) software is installed on employee workstations to enable SOC and CSIRT teams to detect and respond to cyber-attacks against OSX endpoints

The attack surface of the OSX operating system is significant. Once an adversary has obtained remote access to a workstation then it’s highly likely that they would escalate privileges to “root”.

This vulnerability in Zoom may be one way for them to achieve this but there exist many other attack techniques that would also accomplish this.

• https://objective-see.com/blog/blog_0x56.html

An adversary that has obtained unauthorised access to a workstation with Zoom installed could subvert the program to record the microphone and webcam.

The OSX operating system offers multiple facilities for software to access the microphone and webcam.

For example, the Metasploit Framework offers microphone and webcam recording capabilities for penetration testers to demonstrate such attack against OSX machines.

We rate the risk of this vulnerability INFORMATIONAL because workstations with microphone and webcam capabilities cannot defend against this post-exploitation attack.

Personnel whose identities must remain confidential should use hardened workstations and mobile devices to communicate. This would include physically disabling the microphone and webcam on their laptops.

This vulnerability should not be confused with another bug reported in Zoom in 2019, which allowed adversaries to force a user into joining a Zoom call: https://www.rapid7.com/db/vulnerabilities/zoom-cve-2019-13450

• https://objective-see.com/blog/blog_0x56.html
• https://www.rapid7.com/db/modules/post/osx/manage/record_mic
• https://www.rapid7.com/db/modules/post/osx/manage/webcam