Moderate
Zoom Client Information Disclosure (Webcam) CVE-2019-13450
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Moderate
(2 users assessed)
Moderate
(2 users assessed)Unknown
Unknown
Unknown
Zoom Client Information Disclosure (Webcam) CVE-2019-13450
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityMedium
Technical Analysis
Possibly a source of other vulnerabilities in the internal webserver, worth a look at least to see if there is anything else that could be exploited.
Note, it appears that now there are private Zoom PoC’s exploiting the webserver for remote code execution, though this appears to require the user to have uninstalled Zoom first leaving the web server behind. This is likely due to something in the clawback reinstaller not validating or accepting an attacker-controlled resource for the installer binaries.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild Report
Ratings
-
Attacker ValueMedium
-
ExploitabilityMedium
Technical Analysis
Potentially useful in drive-by attack scenarios but the attack does depends on a few conditions. If the user has disabled their video when joining a meeting then the webcam won’t be on even if a link is clicked/followed. If the video is enabled when joining a Zoom meeting then the information disclosure would depend on what is in view of the webcam, which could potentially be nothing. A Zoom window appears when Zoom is launched so the time for capturing potentially sensitive information is limited as well (assuming someone will close a meeting that they didn’t intend to join). Also, the user would have to be running the Zoom client on macOS.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
