BreachExchange mailing list archives
Taking a Closer Look at Zoom
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 27 Apr 2020 09:17:04 -0500
https://www.riskbasedsecurity.com/2020/04/27/taking-a-closer-look-at-zoom/ When there is any crisis or major security event, you can count on a lot of news attention as well as security companies and researchers writing blogs – all providing their hot takes. There is a fine balance between adding actual relevant information and insight versus ambulance chasing and regurgitation. Given the current COVID situation, we have done our best to tread carefully. Providing value and a central source of reporting has always been in our DNA at Risk Based Security. When new events happen that are in our wheelhouse, particularly involving data breaches or vulnerabilities, we will provide our insight. Speaking of which, this leads us to Zoom! ________________________________ In This Article: ‘Shall We Zoom?” Arising Issues on Two Fronts The Zoom Blacklist Is Zoom Safe To Use? Security Industry Hot Takes Zoom’s Security Response and Actions Risk Based Security’s Insight ________________________________ ‘Shall We Zoom?’ It almost seems as if Zoom became a sensation overnight for millions of people, with the company/product name even starting to be used as a verb, reaching the likes of “Google it”. But while many are just now hearing about and using Zoom, the company was founded in 2011 and has been around for nine years, used by thousands of companies world-wide, as part client meetings including product demonstrations. For many users, the COVID-19 pandemic is the main reason why they have heard of Zoom, as it has increasingly become a go-to product for families and friends to stay in touch. Aside from interfamily use, Zoom has even been used for wedding ceremonies and educational facilities have turned to Zoom needing the ability to continue to conduct classes, for school and after hours activities. Even before the pandemic, business use of Zoom has been growing over the past several years, especially for conducting remote meetings and demos. While most have understood that Webex has basically dominated the landscape for over a decade, frustrations with stability, security concerns, ease of joining meetings and lack of features has caused many to look for alternative products. Stepping in to fill the gap in the market, Zoom has become known for being very reliable, boasting no major outages, and the quality of the experience has been top notch for many. It is cross-platform and easy-to-use, which makes it easy to adopt. Zoom also has an added element of fun, giving users the ability to upload pictures and creative virtual backgrounds. The reliability of the offering and Zoom’s features has made it culturally relevant with shows like SNL and other media outlets giving attention to amusing user mistakes and work fiascos. Arising Issues on Two Fronts Unfortunately, the Zoom rocketship-success story didn’t last that long without significant controversy. As recent attention grew, a number of issues were uncovered relating to privacy settings as well as vulnerabilities within the platform itself. 1. ZOOMBOMBING The first thing that started to happen was “Zoombombing”, where trolls started to cause significant problems for unsuspecting users that had not enabled authentication on their calls. While the practice is largely seen as a prank, children have been exposed to explicit images and in some cases we are seeing law enforcement arresting those responsible. The ability to “Zoombomb” has brought a lot of concerns, not only to educational facilities, but to normal users and new work from home folks as well. In many cases, Zoombombers are able to crash these calls due to sharing of Meeting IDs in invites or screenshots as well as taking advantage of the default insecure settings. The good news is that many of these attacks can be easily avoided. 2. VULNERABILITIES AND PRIVACY ISSUES While the media continues to report on new Zoom bombing attacks, there are also a good amount of reports of security vulnerabilities and privacy concerns within the platform. As these issues come to light, Zoom has found itself in a California lawsuit and it is expected that there will be more to come. All of these issues lead to the question: is Zoom safe to use or not? And as is often the case when it comes to security, there isn’t a clear-cut answer. The Zoom Blacklist A complete analysis of Zoom from a security perspective hasn’t been completed, yet the overwhelming presence of sensational articles from the news media has led to quite a bit of confusion. Given the material out there, it is not hard to view Zoom as a massive security risk leading to some companies, governments and educational institutions banning or discontinuing the use of Zoom. Google has banned Zoom from company-owned computers. Administrators will disable it this week, and Google employees have been directed to use Google’s own Duo instead. SpaceX has forbidden employees from using Zoom, citing security and privacy concerns. Smart Communications, a Philippines-based ISP, has banned Zoom for internal use. This list of countries where Zoom won’t function is based on the US government’s list of sanctions. Taiwan has banned Zoom for use by all government agencies. NASA has banned all employees from using Zoom. The German Foreign Ministry has restricted Zoom use to personal computers in emergency situations only, as reported by Reuters. The United States Senate has urged its members to choose platforms other than Zoom due to security concerns, but has not issued an outright ban (although at least one congressman has called for it). The Australian Defense Force banned its members from using Zoom after an Australian comedian Zoom bombed one of its meetings. Singapore bans teachers using Zoom after hackers post obscene images on screens. New York City’s Department of Education has banned teachers from using Zoom and encourages them to switch to Microsoft Teams. The decision of high-profile organizations like these to ban the use of Zoom appears to validate the perception of critical security issues plaguing the platform. However, while many home users have concerns, many questions remain and few alternatives are as well known. As a result, many home users set aside their privacy and security concerns and continue to use Zoom to stay in touch with loved ones. In the private sector, despite the press attention on the aforementioned bans, anecdotal evidence suggests that many businesses and companies continue to use Zoom. Meanwhile in the government sector, the pattern is inconsistent. After the Department of Homeland Security and the General Services Administration advised agencies not to use the free video teleconferencing system from Zoom, a casual survey of agency CIOs found that most were not using it in the first place. At the same time, the DoD has said that Zoom is officially approved for use in unclassified situations by troops, DoD employees, and contractors. Is Zoom Safe To Use? Before we can make a decision or help organizations evaluate their own risk of using Zoom, it is important to more fully explore and understand the various issues facing Zoom. USER AWARENESS AND CONFIGURATIONS PROBLEMS Zoom’s ease of use became a double edged sword. It is incredibly convenient to be able to join a call by clicking a single button, but this feature sidesteps security measures. If you combine this removal of friction with the fact that the majority of users don’t have a basic security understanding, you get a situation where people will often be taken advantage of. “People can change their settings to make it less likely they will be harassed, but few people do and they’re not to blame. The company didn’t focus on security and other dangers when it should have. Zoombombing is now a consequence of the company’s deliberate choices to make voice calling a breeze.” Shira Ovide, NY Times Zoombombing is easy to do, if you have the link – and finding the link can be easy given user behavior and tools being created specifically for finding Zoom meetings IDs. In response, Zoom issued guidelines to mitigate intrusions and enacted common-sense security measures such as password protection. Social media users have also posted their tips on how to deal with the annoyance. Jessica Lessin✔@Jessicalessin · Mar 20, 2020 Our video call was just attacked by someone who kept sharing pornography + switching between different user accounts so we could not block them. Stay tuned for next steps. And I am sorry to everyone who experienced. We shut down as soon as we could. Ana@AnaAgneshwar We just got zoombombed. Change screensharing to “Host Only” Disable “Join Before Host” so people can’t cause trouble Disable “File Transfer” so there’s no digital virus sharing. Disable “Allow Removed Participants to Rejoin” so booted attendees can’t slip back in. 203 2:43 PM - Mar 20, 2020 Twitter Ads info and privacy 75 people are talking about this But despite these tips, Zoom bombing isn’t slowing down… In fact, some suggest that the practice will continue to get worse. Zoom bombing has even been showcased as a form of playful entertainment, further encouraging bored intruders. SECURITY VULNERABILITIES Aside from user problems and configuration issues, security researchers have disclosed numerous issues and vulnerabilities within the platform itself. One of the first issues that got massive media attention was the discovery that the iOS Zoom app was sending user device data to Facebook, even if the user did not have a Facebook account. The data that was being sent informed Facebook when the app was opened and by which device – such as model, time zone, city, and phone carrier. A unique advertiser identifier was also created and associated with that device allowing companies to send targeted advertisements to that user. On March 30, two bugs were found by former NSA hacker Patrick Wardle and then disclosed on Twitter by @c1truz_: Felix@c1truz_ Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). 8,712 4:26 PM - Mar 30, 2020 Twitter Ads info and privacy 4,380 people are talking about this The first vulnerability involved the installer, which essentially took over admin privileges to gain root access to a user’s computer. It also used pre-installation scripts and displayed a faked macOS system message (which doesn’t sound so different from our previous covert redirect phishing examples). Although this vulnerability isn’t “strictly malicious”, it is undoubtedly a shady practice. In fact, this method of installation is described by @c1truz_ to be using the “same tricks… used by macOS malware”. The other vulnerability found by Wardle involved Zoom’s access to the camera and microphone permissions. The article suggests that this vulnerability is much more serious if exploited, as it would allow attackers to hijack a Zoom user’s camera and microphone without their knowledge. However, we believe the installer issue was the more severe issue, as it allowed a local attacker to gain root privileges on the system. This follow-up issue does allow bypassing the Hardened Runtime protection to gain access to the microphone and camera unprompted, but it actually requires write privileges to the Contents/Frameworks folder of the application prior, meaning that it is dependent on the first vulnerability. Unfortunately for Zoom, another issue was found on the same day of March 30th. Despite their marketing material, it was discovered that Zoom did not actually have end-to-end encryption. Instead, Zoom relied on “transport encryption”, which allows them to mine unencrypted messages and video files for targeted advertisements. When contacted, a Zoom spokesperson advised: “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP.” Zoom spokesperson The discovery of these issues has led to distrust and has led to several lawsuits, with many of them citing the California Consumer Privacy Act. These vulnerabilities, and additional findings of leaked email addresses and personal data, including over 500,000 Zoom accounts found for sale on the dark web, have sparked numerous privacy concerns about Zoom’s privacy policy and how data is being routed. At the time of publication of this article, we track a total of nine vulnerabilities for the Zoom Client for Meetings (five of these disclosed in 2020) in VulnDB. PRIVACY CONCERNS Zoom’s privacy policy states that it collects a multitude of data on users, including your name, physical address, email, phone number, job title, and employer. However, when we factor in the previous bugs and vulnerabilities mentioned earlier, Zoom also collects: Facebook profile information; Device information; Network information; The user’s operating system; Zoom usage information; Phone carrier; Time zone While some of this data is provided directly by the user when registering, the vast majority of what has been listed is automatically and quietly collected by the Zoom app. In Zoom’s privacy policy they assure that they do not “sell” this data to third parties. However, if you read further it says: “As described… Zoom does use certain standard advertising tools on our marketing sites which… sends personal data to the tool providers such as Google. This is not a “sale” of your data in the sense that most of us use the word sale. However, California’s CCPA law has a very broad definition of “sale”. Under that definition, when Zoom uses the tools to send the personal data to the third-party tool providers, it may be considered a “sale”. Zoom’s Privacy Policy So although Zoom user data is not “sold” to third parties, it is “shared” which doesn’t make the matter any better for consumers. FOREIGN CONCERNS Since this trove of data is being collected and stored, many analysts and users have been concerned with foreign targeting, especially from China. According to Time, U.S. counterintelligence agencies have observed espionage attempts from Russia, Iran, and North Korea as well – all of them trying to spy on Americans’ Zoom video chats. Zoom faced further scrutiny when it was found that some calls and data were being routed through China. Given that the Chinese government is notorious for heavily monitoring and controlling internet use, many feared that they would force Zoom to decrypt the data routed through those servers. In response to this discovery, Eric Yuan, Zoom’s CEO, stated that Chinese servers were deployed quickly to “come to the aid of people around the world” during the sharp rise in use during the pandemic. In order to allay mistrust, Zoom then implemented a feature to control data routing (mainly to exclude Chinese servers). Security Industry Hot Takes Are all these perceived issues in Zoom serious or media hype? The security industry appears to be divided into three mindsets. 1. “ZOOM IS THE WORST” “If you care about your security and privacy, perhaps stop using Zoom.” Patrick Wardle, former NSA hacker, principal security researcher at Jamf It seems that many people, especially researchers, fall into this bucket due to the growing list of criticisms Zoom has faced this year. Ultimately, it comes down to a shortage of trust resulting from the lack of transparency, company foresight, and code maturity. Researchers are having a field day disclosing everything they can find on Zoom with the media following closely, even if the issue wouldn’t be of interest normally. There are many Twitter threads, created by researchers like Mudge, detailing issues and potential attacks. TechCrunch sums up the arguments for dropping Zoom, or at least using it with heavy scrutiny. Perhaps Zoom has flown too close to the sun and will unceremoniously hit the ground. With a growing list of vulnerabilities, coupled with privacy policy issues and the lack of transparency, many see Zoom as a heavy security liability. 2. “ZOOM ISN’T THAT BAD; THEY’RE TRYING” People who fall into this bucket understand that the issues involving Zoom are potentially serious, but are also sympathetic to the fact that Zoom saw an incredible, unforseen increase in its user base. Jumping from 10 million customers to over 200 million in just three months, it is understandable to a degree that issues were discovered as more attention was given to the software. When confronted with the issues, Zoom has been very responsive and has made solid PR decisions. The quick response and emphasis on improving security has alleviated some of the pressure. Which is a good thing, because researchers are often met with silence when security issues are uncovered. If Zoom had acted in that manner, it would have been a death sentence within the security community. 3. “ZOOM ISN’T THE PROBLEM” The argument here isn’t that Zoom has no flaws, but that the company is being unfairly attacked by most of the security community as well as the media. Defenders say that many of the “vulnerabilities” affecting Zoom are either not as damaging as presented, or that some aren’t necessarily issues with the actual product. Amit Serper, along with David Kennedy and Russ Handorf, authored an informative piece advising that many of the vulnerabilities have already been dealt with, and stating that other competing products had similar concerns. Adding to this, they expressed frustration that some publications were falsely labeling Zoom as malware, feeding the public’s distrust and fear of compromise. This fear of misinformation is concerning. We at Risk Based Security also want to make a clear distinction that Zoom is not malware. Forbes’ Davey Winder expressed a similar sentiment and has documented that hackers are capitalizing on this misinformation, noting that between February and March, there was an increase above 2,000% in malicious files with “zoom” in the name. Zoom’s Security Response and Actions Adding to Zoom’s defense, Eric Yuan, the CEO of Zoom, has been pretty transparent about the issues that they are now facing related to security and privacy. He has apologized numerous times to the press and has openly discussed the issues in interviews with Bloomberg. To Zoom’s credit, Yuan has been consistent in his messaging, emphasizing that he knows that Zoom has fallen short of privacy and security expectations and that he is doing everything he can to remedy the situation. It seems like Zoom is actually making a meaningful effort to improve rather than to solely improve public perception, including the following actions: FEATURE FREEZE In order to demonstrate their dedication to security, Zoom decided to dial back on pushing new features for 90 days. Instead, they have promised to focus solely on security issues to maintain and win back customer trust. Zoom has already made steady progress. A day after announcing the feature hold, Zoom fixed the issue with their MacOS installer, removed a LinkedIn data mining feature, and patched a vulnerability involving Windows. They have also promised to release regular transparency reports. VULNERABILITY RESPONSE Despite a corporate climate where data breaches, leaks, and security issues seem like a daily occurrence, Zoom’s responses and transparency have been acknowledged positively, differentiating themselves from many other vendors with boilerplate PR responses. As part of their feature hold initiative, Zoom is bolstering their vulnerability response and has received a reaction that few companies in its situation receives – praise. Too many times researchers are met with either silence or months (or years) of reserved responses. Being vulnerability researchers ourselves, we know the pains of coordination all too well. ENHANCED BUG BOUNTIES Along with increased resources being put into their vulnerability response teams, Zoom is also enhancing their bug bounty program. This is a good step forward, but Zoom needs to ensure they end practices like the use of non disclosure agreements (NDAs), or their bug bounty program may be seen as a marketing stunt. NDAs create the perception among security researchers that “their silence is being bought and sold to prevent public exposure of insecure practices”. Overall, bug bounty programs are supposed to be beneficial for both researchers and the impacted organization, but if Zoom tries to silence the issue it will find that researchers will go straight to the press and bypass them entirely. That is what happened last summer, before Zoom’s massive gain in market share. Security researcher Jonathan Leitschuh found a vulnerability involving Zoom’s webcam use and reached out to Zoom’s bug bounty program through Bugcrowd. As standard etiquette demands, Leitschuh gave Zoom 90 days to remediate the issue before publication. However, they failed to do so and asked him to sign an NDA, barring him from disclosing and publishing the issue even if the vulnerability would be patched. Of course, he refused. That practice will not bode well with the security community, and hopefully, with their revamp, Zoom will ensure that all parties benefit from the good work that vulnerability researchers do. But with the increased scrutiny Zoom is receiving, some experts within the space have voiced concerns regarding ineffective bug bounty programs. ENGAGING SECURITY EXPERTS Concerns involving Zoom’s bug bounty program however may not be an issue for long as Zoom reached out to Katie Moussouris and officially tasked her with improving the bug bounty program. In addition to hiring Katie, well known experts and security personalities have been added to Zoom’s security roster, including former Facebook CISO Alex Stamos, privacy expert Lea Kissner, cartographer Matthew Green, and three additional well known security firms. Katie Moussouris✔@k8em0 · Apr 15, 2020 Replying to @k8em0 I’m excited to highlight my colleagues who are adding their expertise in the next few weeks. In addition to welcoming my former colleague @alexstamos to the extended Zoom security family I’d like to welcome @LeaKissner @matthew_d_green @bishopfox @NCCGroupInfosec @trailofbits Sister HxA full of trace(route)@hexadecim8 Dam, Katie didn't say she was forming The Avengers of pandemic cyber security on these streets 24 5:40 AM - Apr 16, 2020 Twitter Ads info and privacy See Sister HxA full of trace(route)'s other Tweets H. Poteat@NSQE Thiiiiiiiiis is the highlight of the latest news coming out of Zoom, and thank you, @iMeluny. There are a hundred people Zoom could hire if they just wanted figureheads to look important and sweep crap under the rug. Zoom hired shit-stirrers. Firebrands. People who WILL scream. https://twitter.com/iMeluny/status/1250831926698491904 … Melanie Ensign@iMeluny Replying to @iMeluny and 3 others A positive sign, based on my experience w/ these individuals — you don’t ask @k8em0 @alexstamos @LeaKissner to look under the hood unless you’re prepared to hear bold (& often difficult) truths. <3 If Zoom heeds their counsel, it will likely have formidable capabilities soon. 20 12:59 PM - Apr 16, 2020 Twitter Ads info and privacy See H. Poteat's other Tweets Public reception to Zoom engaging with experts has been mostly positive, although there are individuals within the security community who don’t appear to be entirely sold, some calling Zoom out by name and others believed to be doing so more generically. Hoff@Beaker There are people in the InfoSec industry who are held up as idols & heroes within the community who have, under their watch, presided over MULTIPLE mega breaches & privacy debacles yet continue to be given air time & lauded for their expertise & leadership FOR FAILURE AT SCALE 87 9:53 AM - Apr 10, 2020 Twitter Ads info and privacy 24 people are talking about this No matter what the view is about the hirings and engagement, Zoom, and their newfound expert panel have a good amount of work ahead of them. It will be interesting to see if a clash will result between the security panel and Zoom’s corporate goal of making the product simple and easy-to-use. WHAT’S NEXT FOR ZOOM Overall, Zoom has a lot of work cut out for them as researchers and the media continue to scrutinize both the product and the company. Although many vulnerabilities are driven by altruism, in the past disclosure was often seen as a way to strengthen resumes and build reputation in the community. We can expect to see security firms, researchers, and the media continue to focus on VPNs and work from home tools like Zoom, and as the user base grows, so will the scrutiny. Zoom is on the precipice of either substantially losing market share or driving further growth by capitalizing on their impressive PR strategy. A Blind report found that 35% of professionals worry Zoom may compromise their organization and 12% of Zoom users have dropped the service due to those fears. That figure may continue to grow as negative press coverage mounts and more companies are added to the Zoom blacklist. But Zoom’s ease-of-use that got them into this mess is also proving to be its major strength. If Zoom can properly satisfy security concerns while maintaining their current goodwill and transparency, well, that is how brand loyalty is created. Brand loyalty is incredibly important as the video app space becomes more crowded, each with its own set of drawbacks. Zoom’s features have made it accessible for nearly every kind of user, so if they can put this behind them, they may be able to hold on to those 200 million users. As time passes, Zoom will continue to see more bugs. And in the meantime, while they implement this 90 day freeze on features, their competitors will ramp up their marketing efforts to increase their share of the market. The good news is that Zoom appears to be following through on their promise of doubling down on security and privacy. As the Verge reported, Zoom’s recent 5.0 update addresses many issues, including enabling passwords for most customers, and making those and other security settings on by default. Risk Based Security’s Insight Any time there are issues such as the ones Zoom is facing, emotions and cognitive biases creep into the arguments. The best method we believe as always is to take a risk-based approach and try to look at actual data to better understand what is truly happening. EVALUATING VENDORS THAT COULD PUT YOU AT RISK At Risk Based Security we believe that it is important to evaluate vendors and evolve beyond the Vulnerability Whack-a-Mole game as we have discussed in the past: “We need to continue to educate and enable organizations to start looking at Vulnerability Management from a more strategic standpoint, and apply more of a problem management approach. Ask yourself: What if you knew the vendors or products that would most likely put you at risk for a data breach or compromise? What products or libraries/components cost the most to maintain securely? What if you could easily look at your vendors and see how much they care about their own security? Are they actively addressing the vulnerabilities within the products they are shipping to you? And if a vulnerability does make it through, how quickly do they respond and provide a patch?” We do firmly believe that if organizations have access to easy to understand ratings and are able to gather better insights about the products they are relying on, they can take a strategic approach. They can finally achieve proactive, risk-based vulnerability management, set aside the squeaky mallet, and move on from the whack-a-mole game.” It has long been debated whether vulnerability counts really matter when it comes to evaluating software quality and overall security. This topic like many in the security industry brings out some strong opinions. Allen Householder weighed in on Twitter explaining that CERT/CC gets this question often. Our own CEO, Jake Kouns followed up with some thoughts as we at Risk Based Security do value and evaluate how a vendor responds, but this is just one of many metrics that we believe is important to understand a product’s code maturity and investment in security. Allen Householder@__adh__ · Apr 11, 2020 Folks often ask us @certcc whether a vendor with lots of vuls is worse than one with few. Wrong question. It’s all in how they respond - What they do once they know about them is what counts. Zoom appears to be doing it right. https://twitter.com/BillDemirkapi/status/1248909505234075649 … Bill Demirkapi@BillDemirkapi Soon after this tweet, the CEO of Zoom @ericsyuan reached out and offered me an internship. Excited to announce that I'll be joining Zoom's security team for the summer. https://twitter.com/BillDemirkapi/status/1245271580852322304 … jkouns@jkouns We agree that how a vendor responds to a vuln is important, but that isn't the only thing. The types of vulns still being found gives us a clear indication of the product's code maturity and their investment in security. 1 5:25 PM - Apr 11, 2020 Twitter Ads info and privacy See jkouns's other Tweets THREAT MODELS AND ATTACK VECTORS REALLY MATTER While there have been a lot of news articles and reviews of Zoom, only a few were detailed and attempted to point out technical issues. A Twitter thread from Mudge was one of these, where he highlighted security concerns for the Zoom client on Linux. However, while the thread provided some useful insights, it didn’t provide the context that a security practitioner really needs to make a proper risk decision about the use of Zoom. Mudge provided various information to back up his point of view, but his conclusions about Zoom being an unsafe product mostly appeared to be based on two things: (1) missing support for defense-in-depth (DiD) security mechanisms like DEP and ASLR and (2) using a lot of potentially dangerous functions, specifically mentioning “453 calls to bad security” functions and “6316 to risky” functions. To be fair, the fact that Zoom didn’t seem to enable any DiD security mechanisms in the Linux client is very weak in 2020. They do deserve to be called out for that poor security practice. That is part of even a beginner’s SDL (Security Development Lifecycle). As Mudge also points out, it does indeed make it a lot easier to exploit certain types of vulnerabilities if found in the client. However, by itself it doesn’t suggest that the Zoom client is an unsafe product and shouldn’t be used. Similarly, we concur with Mudge that the prolific use of potentially unsafe functions is a sign of a less than mature SDL but, again, by itself (or even combined with the first point) it does not mean that the Zoom client for Linux is unsafe and unfit for use. Using these types of functions does increase the risk of making mistakes where untrusted input is supplied in a manner that leads to a vulnerability. However, if used carefully and correctly with only trusted input, there is as such no problem with these functions being used in the code. Even if untrusted input was passed to one of these functions, it may still not result in a vulnerability, if the attack vector doesn’t allow for a gain to an attacker. Mudge states that based on these issues, the Zoom Client for Linux “would be considered too easy to exploit” and that he’ll show “coding vulnerabilities” in this thread. However, it’s relevant to note that he never actually does that. He does provide an example of potentially problematic use of the popen() function, but it does not constitute an actual vulnerability even if referred to as such. He later also clarifies that it was just intended as “an example of identifying poor security coding practices” and encourages people to find “a more exploitable example”. However, if the client was indeed so flawed and easy to exploit, providing a legitimate vulnerability – or better yet a slew of them – as an example would have gone a long way to prove how unsafe it is. Currently, there are only two known vulnerabilities reported for the Zoom client for Linux. Both of these were reported and fixed in 2017. However, it is equally important to understand that that doesn’t mean that the product is then secure and safe to use. A lot of basic vulnerabilities could likely be reported in the product in the near future. Only an in-depth review of the product’s attack surface and code itself can speak more to its actual security state. Regardless, there are many things that Mudge points out where we completely agree. The lack of support for security mechanisms like DEP and ASLR as well as the use of potentially unsafe functions does suggest less than secure code or at a very minimum a less than mature Secure Development Lifecycle (SDL). We are fans of understanding code maturity and have in fact developed a whole system in VulnDB for rating the secure coding state of a product based on the types of uncovered vulnerabilities. However, we believe that the security of a product, in this case the Zoom client, cannot solely be determined with just a teardown of a few examples of what speaks to their SDL. In this case the code maturity, as Mudge points out, is very low and on the surface that is very problematic. But we must remember that academically insecure code is only a concern if there are practical avenues to attack the potential vulnerabilities. Code maturity is important, but it should not be examined in an isolated manner. It’s also worth noting that so far none of the vulnerabilities recently reported in the Zoom clients for Windows and macOS seem to be due to using insecure functions. Similarly, none of them would have been mitigated by the enabling of the previously discussed security mechanisms. It is worth noting, though, that the two old vulnerabilities in the Linux client indeed were due to unsafe function use. ATTACK VECTORS FOR SOME OF THE RECENT VULNERABILITIES One of the initial vulnerability reports for the Zoom client, which received a lot of attention and media hype, was a local privilege escalation (LPE) issue. While the vulnerability was quite interesting from a technical point-of-view, the local vector made it less severe and also less of a risk. Another of the initial vulnerability reports was reported to disclose Windows NTLM credentials (in fact the impact was more severe, as it also allowed execution of commands) but it required that an attacker was in a chat session with the victim and tricked them into clicking a malicious link. This also reduced the severity and risk to organizations. This is important to understand as we need to keep the threat model, attack surface, and attack vectors in mind while evaluating risk. In the case of the LPE vulnerability what this means is that companies should primarily be concerned if the Zoom client is installed on a company machine provided to untrusted employees. For users with the Zoom client installed on their own private systems, the risk is quite limited; they only really have to worry about bad actors, who compromise their systems through other means and use it to elevate privileges. It’s worth noting that if done right (we haven’t confirmed if this is the case for the Zoom client), most of the local interfaces in this type of software should be running with the user’s own privileges. That means even if there was a coding flaw in the interface, it would not have a security impact or lead to any elevation of privileges. In the case of the other vulnerability, the risk is greater to both corporate and private systems. However, the attack vector still requires a bad actor to establish a chat session with a victim and then trick them into clicking a link. The risk can, therefore, be limited by not engaging in any chat sessions with untrusted people and refrain from clicking any links provided by them. Due to the attack surface of this type of software, these types of context-dependent or user-assisted attacks are a lot more plausible than any true remote compromise. From what we’ve seen so far there are certainly legit concerns about the Zoom clients, but we wouldn’t consider it a critical IT infrastructure concern for organizations, and the risk is no greater than many of the vulnerabilities being disclosed in other software. The Cisco WebEx clients don’t exactly have a stellar track record either. ZERO-DAY CLAIMS OF A USD 500K VULNERABILITY Just a few days after Mudge’s Twitter thread, an article was published that suggested there were in fact significant zero-day exploits being sold. One was supposedly so severe that the asking price was USD 500,000. According to a few sources, who trade in such exploits, there were two Zoom zero-days on the market: one for Windows and one for macOS. While the sources had not seen the actual code of the exploits, they were contacted by brokers selling them. The article describes the macOS vulnerability as not being a remote code execution (RCE) issue, but then goes on to provide conflicting information about the Windows issue: “[The Windows zero-day] is nice, a clean RCE [Remote Code Execution],” said one of the sources, who is a veteran of the cybersecurity industry. “Perfect for industrial espionage.” and: “Generally speaking, an RCE exploit allows hackers to access the target’s whole machine, not just the app they are attacking.” These claims suggest that the vulnerability is a straight-forward remote code execution vulnerability that allows gaining control of a victim’s system. That is a bit surprising, as it doesn’t immediately support expectations based on the interfaces provided by the Zoom clients. However, the article then also states: “The zero-day for Zoom on Windows would allow hackers to access the app, but would need to be coupled with another bug to access the whole machine.” and: “The source said the exploit requires the hacker to be in a call with the target, making it less valuable for a government spy agency that aims to be stealthy and doesn’t want to get caught.” Suddenly it becomes quite clear that the attack vector is not “a clean RCE” but what is commonly considered a context-dependent or user-assisted attack vector, as the victim is required to first be in a chat session with the attacker (and maybe even further user interaction is required). It is, furthermore, suggested that it does not grant control of the system unless coupled with another vulnerability. When first seeing the headline, we thought that perhaps a very serious and valid zero-day (0-day) allowing code execution might have been discovered. After reviewing the information it more seems plausible that this is not the case and that someone is just trying to make a quick buck (well… 500,000 of them). PRIORITIZE USING A RISK-BASED APPROACH Individuals using Zoom for personal reasons outside of the corporate environment should be fine as long as they follow proper security practices. If you are using Zoom, make sure that you are configuring your calls properly. Here are some resources we have found that walk you through the process: Zoom isn’t Malware Magid: Zoom safe to use if properly configured The Freedom Of The Press Foundation put together this useful resource, breaking down the right video conferencing tool for the job. Businesses using Zoom or thinking of utilizing it as their primary video conferencing platform need to follow a risk-based approach. Now that you have an understanding of Zoom’s security concerns and problems, you can start the process of vendor evaluation and avoid playing the vulnerability whack-a-mole game. Assess Zoom’s flaws and code maturity along with vulnerabilities your organization is currently facing in order to effectively mitigate risk, rather than simply following public sentiment. What Next? The zoom story obviously doesn’t end here, and it’s becoming a fascinating case study about software vendors and the security of their product. Further it shows the importance to understand the ways in which your digital supply chain exposes you to risk, and the constant decisions that organizations have to make to manage the potential impact to their business. We’re going to keep a close eye on how this Zoom story develops, and we’ll make updates here, to build a comprehensive and hopefully useful resource for the security community. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Taking a Closer Look at Zoom Destry Winant (Apr 27)