Zoom 5.4.3 (54779.1115) / 5.5.4 (13142.0301) Information Disclosure

2021.03.23
Credit: Matthias Deeg
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-668


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Advisory ID: SYSS-2020-044 Product: Zoom Manufacturer: Zoom Video Communications, Inc. Affected Version(s): 5.4.3 (54779.1115) 5.5.4 (13142.0301) Tested Version(s): 5.4.3 (54779.1115) 5.5.4 (13142.0301) Vulnerability Type: Exposure of Resource to Wrong Sphere (CWE-668) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2020-12-02 Solution Date: - Public Disclosure: 2021-03-18 CVE Reference: CVE-2021-28133 Authors of Advisory: Michael Strametz, Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Zoom is a video conferencing and messaging software with support for many different devices. Some of the supported features as described by the manufacturer are (see [1]): " * Unparalleled usability Enable quick adoption with meeting capabilities that make it easy to start, join, and collaborate across any device. * Join anywhere, on any device Zoom Meetings syncs with your calendar system and delivers streamlined enterprise-grade video conferencing from desktop and mobile. * Powerful meeting security Robust security settings ensure disruption-free meetings. Encryption, role-based security, Passcode protection, Waiting Rooms and more. " Due to a security issue concerning the "share screen" functionality, screen contents of applications which are not explicitly shared by the screen-sharing user can be seen by other meeting participants. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When a Zoom user shares a specific application window via the "share screen" functionality, other meeting participants can briefly see contents of other application windows which were not explicitly shared. The contents of not shared application windows can, for instance, be seen for a short period of time by other users when those windows overlay the shared application window and get into focus. Depending on the unintentionally shared data, this short exposure of screen contents may be a more or less severe security issue. A participant of a Zoom meeting recording a meeting using a screen recorder software may afterwards have access to sensitive data of other users which is accessible in a few frames of the recorded video. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS could successfully demonstrate the described attack concerning screen recordings of Zoom meetings with unintentionally shared screen contents both using the current Windows and Linux Zoom client software. In this attack scenario, the two users Alice and Mallory are in the same Zoom meeting and Alice shares her web browser window via the "share screen" functionality. Mallory records her whole desktop screen using a screen recorder software, for instance SimpleScreenRecorder [3]. Between showing different things in her shared web browser window, Alice uses another application whose application window happens to overlay the shared web browser window. The contents of this other application window, which is explicitly not shared with Mallory, can sometimes briefly be seen by Mallory. When watching the created screen recording, Mallory can pause the video at will and thus see the unintentionally shared application window contents from Alice. A SySS proof of concept video illustrating this security issue is available on our SySS Pentest TV YouTube channel [5]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a fix for the described security issue. Please contact the software manufacturer for further information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-12-02: Vulnerability reported to manufacturer 2020-12-02: Manufacturer acknowledges receipt of security advisory 2020-12-02: Manufacturer asks for more information 2020-12-03: SySS provides more information concerning the security issue 2020-12-03: Manufacturer confirms reproducing the security issue in both the Windows and the Linux client and asks further questions 2020-12-04: SySS answers open questions 2020-12-04: Manufacturer responds and will look into the reported security issue 2021-01-21: SySS asks for status update 2021-02-01: SySS asks for status update 2021-03-18: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for Zoom https://zoom.us/ [2] SySS Security Advisory SYSS-2020-044 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-044.txt [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] GitHub Website of SimpleScreenRecorder https://github.com/MaartenBaert/ssr/ [5] SySS Proof of Concept Video: Zoom Unintended Screen Sharing Issue https://www.youtube.com/watch?v=SonmmgQlLzg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Michael Strametz of SySS Cyber Security GmbH (Austria) and Matthias Deeg of SySS GmbH. E-Mail: michael.strametz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Michael_Strametz.asc Key Fingerprint: AD50 E8B8 4E6E 5E00 F45F CE35 744F A11A 2EAC 214D E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top