Security researchers found a couple of vulnerabilities
affecting the chat features of the popular video conferencing app Zoom that, if
exploited, would have let attackers achieve arbitrary code execution.
While the mere mention of Zoom makes people think of
video conferencing, the application has a number of other features that can harbor
vulnerabilities. In fact, a couple of critical flaws were identified by Cisco
researchers in the Chat feature; either would have been enough to give
attackers a way to execute code remotely.
The first one, dubbed CVE-2020-6109, is an exploitable
path traversal vulnerability affecting how the application processes animated
GIFs.
“Only Giphy servers were originally supposed to be
used for this feature in Zoom,” reads the advisory.
“However, the content from an arbitrary server would be loaded in this
case, which could be abused to further leak information or abuse other
vulnerabilities.”
The second was an exploitable path traversal
vulnerability that affected how code snippets are shared by generating a
special zip archive.
“Zoom’s chat functionality is built on top of XMPP
standard with additional extensions to support rich user experience,” say the
researchers. “One of those extensions supports a feature of including source
code snippets that have full syntax highlighting support. The feature to send
code snippets requires installation of an additional plugin, but receiving them
does not.”
The vulnerabilities affected the Zoom Client version
4.6.10. A patch correcting the problems has been issued already.
The company also announced
a new policy when it comes to encrypting sessions, explaining that, basically,
end-to-end encryption will be a feature available for paid accounts, companies,
and educational entities using the platform.
The company determined that most of the abuse, such as
zoom-bombing, for example, comes from users with free accounts. By not
providing them with complete end-to-end encryption, it makes it easier for law
enforcement and their own teams to investigate any incidents.