www.belgium.be Logo of the federal government

Zoom Vulnerability

Reference: 
Advisory #2019-018
Version: 
1.0
Affected software: 
Zoom for MacOs
Type: 
DDOS, Unauthorized access
CVE/CVSS: 

CVE-2019-13449, CVE-2019-13450

Sources

https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/

https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Risks

A vulnerability discovered in the Mac Zoom client allows maliciously crafted websites to enable your camera without your permission or/and perform a denial of service by constantly joining a user to an invalid call repeatedly. Uninstalling the application still leaves a localhost server running on the vulnerable system, allowing re-installation without user consent.

A proof of concept is available.

Recommended Actions

CERT.be recommend system administrators to update vulnerable zoom client applications for MacOS users to the latest version:
https://zoom.us/download