Two high severity vulnerabilities in the Zoom videoconferencing platform have been identified by researchers at the Cisco Talos threat intelligence team that could allow a remote attacker to send files to the system of a Zoom meeting participant, which could potentially allow remote execution of arbitrary code on the target’s system.
The flaws were reported to Zoom and have now been patched in version 4.6.12 of the Zoom video conferencing app for Windows, Mac, and Linux.
The flaws, tracked as CVE-2020-6109 and CVE-2020-6110, are both path traversal vulnerabilities. CVE-2020-6109 concerns how the Zoom client uses the Giphy service, which allows meeting participants to search for animated GIFs and send them to other meeting participants. The problem is due to the failure of the Zoom client to check whether the animated GIFs are loaded from the Giphy service. Without this validation, an attacker could load a GIF from a third-party server that they control. The GIF would then be stored in the cache folder on the recipient’s system. There was also no sanitization of filenames, so malicious files could be disguised as GIF files. The flaw also allowed directory traversal, so the Zoom client could be tricked into saving the files into a different folder such as the Startup folder, which would run the malicious code when the computer was rebooted.
The CVE-2020-6110 vulnerability concerns how the Zoom client processes code snippets shared by meeting participants through the chat feature of the application. This vulnerability could also be exploited to achieve remote code execution, although that would require some user interaction. The code snippet is added to a zip archive before it is sent, which is then automatically unzipped on the recipient’s system. An attacker could exploit this flaw to create a self-extracting zip file on the target’s system. Since there is no validation of the contents of the zip file, an attacker could add arbitrary binaries to the zip file, which would be written to the target’s computer. In addition, there is a path traversal issue which would allow the zip file to write files outside the intended randomly generated directory.
One of the vulnerabilities was only present in versions 4.6.10, 4.6.11 and possibly other versions of the Zoom client, while the other affected 4.6.10 and all earlier versions.
Zoom also announced that it will be adding full end-to-end encryption for Zoom meetings. Security researchers had discovered that Zoom was not providing full end-to-end encryption, as communications between clients and its servers were not being encrypted even though the company stated on its website that Zoom communications were protected with end-to-encryption.
Zoom has however announced that end-to-end encryption will only be available to paying customers and schools. Users of its free service will not have this protection. Zoom said users of the free version of its platform were more likely to abuse the service, and by not implementing end-to-end encryption law enforcement would be able to investigate cases of abuse. Zoom said it wants to work with the FBI and law enforcement in cases where users are using Zoom for malicious purposes. The end-to-end encryption is not compatible with all features of Zoom, so it will be provided as an opt-in security measure when it is implemented.