Attacker Value
Moderate
(2 users assessed)
Exploitability
Moderate
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Zoom Client Information Disclosure (Webcam) CVE-2019-13450

Disclosure Date: July 09, 2019 Last updated March 03, 2020
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.

Add Assessment

6
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

Possibly a source of other vulnerabilities in the internal webserver, worth a look at least to see if there is anything else that could be exploited.

Note, it appears that now there are private Zoom PoC’s exploiting the webserver for remote code execution, though this appears to require the user to have uninstalled Zoom first leaving the web server behind. This is likely due to something in the clawback reinstaller not validating or accepting an attacker-controlled resource for the installer binaries.

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Potentially useful in drive-by attack scenarios but the attack does depends on a few conditions. If the user has disabled their video when joining a meeting then the webcam won’t be on even if a link is clicked/followed. If the video is enabled when joining a Zoom meeting then the information disclosure would depend on what is in view of the webcam, which could potentially be nothing. A Zoom window appears when Zoom is launched so the time for capturing potentially sensitive information is limited as well (assuming someone will close a meeting that they didn’t intend to join). Also, the user would have to be running the Zoom client on macOS.

General Information

Additional Info

Technical Analysis