Zoom Vulnerability

Image
Decorative image
Gepubliceerd : 10/07/2019

Reference:
Advisory #2019-018

Version:
1.0

Affected software:
Zoom for MacOs

Type:
DDOS, Unauthorized access

CVE/CVSS:
CVE-2019-13449, CVE-2019-13450

Sources

https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/

https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Risks

A vulnerability discovered in the Mac Zoom client allows maliciously crafted websites to enable your camera without your permission or/and perform a denial of service by constantly joining a user to an invalid call repeatedly. Uninstalling the application still leaves a localhost server running on the vulnerable system, allowing re-installation without user consent.

A proof of concept is available.

Recommended Actions

CERT.be recommends system administrators to update vulnerable zoom client applications for MacOS users to the latest version:
https://zoom.us/download