Other official information and services: www.belgium.be

Zoom Vulnerability

Reference:

Advisory #2019-018

Version:

1.0

Affected software:

Zoom for MacOs

Type:

DDOS, Unauthorized access

CVE/CVSS:

CVE-2019-13449, CVE-2019-13450

Date:

10/07/2019

Sources

https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/

https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Risks

A vulnerability discovered in the Mac Zoom client allows maliciously crafted websites to enable your camera without your permission or/and perform a denial of service by constantly joining a user to an invalid call repeatedly. Uninstalling the application still leaves a localhost server running on the vulnerable system, allowing re-installation without user consent.

A proof of concept is available.

Recommended Actions

CERT.be recommends system administrators to update vulnerable zoom client applications for MacOS users to the latest version:
https://zoom.us/download