Unauthorized Call and Webcam Access Vulnerability in Zoom Mac Client (CVE-2019-13450)

Ryan Seguin

A zero-day vulnerability in Zoom could potentially lead to a remote code execution attack. Here’s what you need to know.

Background

Security researcher Jonathan Leitschuh has disclosed a zero day in the Zoom client for Mac, that allows an attacker to force a user to join a Zoom call with their webcam enabled. The disclosure blog also suggests this could potentially lead to a remote code execution attack (RCE), which may have been found by other researchers as well but remains undisclosed and unconfirmed. According to the research, a web server running on port 19421 is present if the Zoom client on Mac has ever been installed.

Analysis

Malicious HTTP requests can be sent to the web server installed alongside the Zoom Mac client that launches a video call with the attacker, with the affected user’s webcam enabled. These requests cannot override user configuration though, so if a user has disabled the automatic webcam, they may still be joined to a call, but their webcam will not be enabled. The researcher also mentions CVE-2018-15715, a Zoom message spoofing flaw discovered by Tenable researcher David Wells, which could be used in conjunction with CVE-2019-13450 to execute an RCE attack.

Proof of concept

The advisory blog provides the following lines of code that an attacker could embed in their site to initiate a call with a vulnerable user:

And the following line enables the webcam for users with automatic video turned on:

Vendor response

Zoom has responded to the disclosure with additional information on how it’s going to improve the user experience to alleviate concerns in the future. Zoom also noted that the Denial of Service (DoS) vulnerability reported by the researcher (CVE-2019-13449) was fixed in May 2019 (Client version 4.4.2).

Solution

Zoom has released an update for the Mac client (4.4.53932.0709) that removes the web server and allows users to fully uninstall Zoom from the client. That update can be applied from the Zoom client or downloaded manually here. Zoom has also stated that it plans to provide further updates over the course of the coming weekend (July 12).

Users can disable automatic video in Zoom, which can be found here in your user settings:

How to disable automatic video in Zoom

Image Source: Jonathan Leitschuh

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io.

Read more >

Published on Jul 10, 2019

People also viewed

Business Cost Analyst - Cloud Infrastructure

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

Professional Services Engagement Manager

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Professional Services Professional Services
Your Role:The Professional Services Engagement Manager assists in the professional services business development and oversees the delivery of projects. The Professional Services Engagement Manager’s roles include tactical project management oversi...

UX Designer

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
Your Role:Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital sec...

Commercial Territory Manager - West

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Senior Software Engineer (Java & Kotlin)

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is looking for a Senior Software Engineer to join the Lumin product development team. As a Sr. Software Engineer you will drive projects end-to-end, collaborate on product requirements with Product Managers, architect and impleme...

Public Sector Channel Manager - Distribution

Reston Virginia United States Reston, Virginia, United States Channel Sales Sales
Your Role:The Public Sector Channel Manager-Distribution is responsible for establishing and managing relationships with the Distribution Partner(s).  The CM-Disty will act as a sales liaison between distributor and Tenable Channel Manager personn...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.