Skip to content

vSOC SPOT Report: Zoom Desktop Conferencing (CVE-2018-15715)

Posted by: GuidePoint Security

2 min read

Overview

On November 29, 2018 Tenable researcher David Wells disclosed a vulnerability in Zoom’s desktop conferencing that would allow an attacker to hijack the screen controls, spoof chat messages and kick attendees out of meetings. The vulnerability, CVE-2018-15715, is listed as “critical” in severity and has a CVSS 3.0 score of 9.9.

Technical Overview

This vulnerability can be exploited by an attacker either remotely or local to the Zoom meeting by sending a specifically crafted User Datagram Protocol (UDP) message that is then processed as if it came from a trusted Transmission Control Protocol (TCP) channel, which is used by authorized servers. Once the attacker is able to trick the server, with the crafted UDP message, he can gain access to the Zoom meeting and take control of screen sharing, spoof chat messages, or kick attendees from the conference.

Zoom servers currently allow unencrypted UDP messages, even if encrypted sessions are enabled, which gives an attacker the ability to exploit this vulnerability without authentication or the need for the encryption key.

In order for an attacker to exploit the vulnerability successfully, they must be aware of an attendee’s IP address or a Zoom server IP address and have the attendee’s meeting ID to fully execute the attack.

Wells released a proof of concept onto GitHub, https://github.com/tenable/poc/tree/master/Zoom, and a diagram of the attack on Twitter, https://twitter.com/CE2Wells/status/1068156019291746304.

Potential Impact

At the current time, if a user is utilizing version 4.1.33259.0925 for MacOS or Windows or version 2.4.129780.0915 for Ubuntu, an attacker can gain the ability to hijack screen controls, spoof chat messages, or kick attendees off the meeting. There is no research validating that other versions are susceptible to this type of attack, however, it should be assumed that they are vulnerable.

In some cases, if users are not attentive, an attacker could utilize the screen control hijacking to install malware on the system to gain further access to the network.

What You Should Do

Zoom has patched their servers to block part of the attack vector. In addition to patching their servers, Zoom has released updates for both Windows (version 4.1.34814.1119) and Mac Users (version 4.1.34801.1116), with a Linux patch currently being developed and worked on by Zoom.

GuidePoint recommends that all users update their desktop client of Zoom to the latest version as soon as possible to stop the possibility of an attack via this vulnerability.

Supporting Information

Categories: News
Tags:spotvSOCzoom

GuidePoint Security

Exploring Ransomware’s Emerging Middle Class & Evolving Cyber Threats
In this on-demand webinar, the authors share report highlights, in-depth analysis, and exclusive commentary to help strengthen your cybersecurity defenses.
Watch Now

Related Articles

View All

  • Application Security
The Critical Need for Multi-Role Testing in Application Security
Posted by: Austin Turecek
Read More 7 min read
  • Governance, Risk & Compliance
CMMC Is Here – Are You Ready? (Better Late Than Never)
Posted by: Dan Mengel
Read More 4 min read
  • GRIT Blog
To Pay or Not to Pay: The Ransomware Dilemma
Posted by: Jason Baker
Published 11/14/24, 09:00am
Read More 11 min read